Security updates for versions update and check scripts (#784)

- Limit permissions of who can execute version update script
- Always checkout version update script from main to prevent script injection

Signed-off-by: Kate Goldenring <kate.goldenring@fermyon.com>

Author: kate-goldenring

.github/workflows/check-versioning.yml

@@ -59,6 +59,14 @@ jobs:
       with:
         persist-credentials: false
 
+    # Security: Checkout the trusted version.sh from main branch to prevent script injection
+    - if: startsWith(github.event_name, 'pull_request')
+      name: Checkout version.sh from main branch
+      run: |
+        git fetch origin main
+        git checkout origin/main -- version.sh
+        chmod +x version.sh
+
     # Only run version check for PRs. If PR does NOT have "same version" label, then ensure that
     # version.txt is different from what is in main.
     - if: startsWith(github.event_name, 'pull_request') && !contains(github.event.pull_request.labels.*.name, 'same version')

.github/workflows/update-versions.yml

@@ -30,7 +30,7 @@ jobs:
           })
 
   build:
-    if: ${{ github.event.issue.pull_request }} && contains(github.event.comment.body, '/version')
+    if: github.event.issue.pull_request && contains(github.event.comment.body, '/version') && (github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'OWNER')
     runs-on: ubuntu-latest
 
     steps:
@@ -57,7 +57,14 @@ jobs:
       with:
         repository: ${{ fromJSON(steps.get-pr.outputs.result).head.repo.full_name }}
         ref: ${{ fromJSON(steps.get-pr.outputs.result).head.ref }}
-    
+
+    # Security: Checkout the trusted version.sh from main branch to prevent script injection
+    - name: Checkout version.sh from main branch
+      run: |
+        git fetch origin main
+        git checkout origin/main -- version.sh
+        chmod +x version.sh
+
     - name: Update version minor
       if: contains(github.event.comment.body, '/version minor')
       run: |