[SECURITY] Additional security hardening for CI/CD (- WIP #485 -)

Changes in file .github/actions/check-control/action.yml:
 * Improved hardening

Changes in file .github/actions/checkout-and-rebuild/action.yml:
 * Improved hardening

Changes in file .github/actions/run-minimal-acceptance-tests/action.yml:
 * Improved hardening

Changes in file .github/actions/setup-py-reqs/action.yml:
 * Improved hardening

Changes in file .github/workflows/CI-CHGLOG.yml:
 * Improved hardening

Changes in file .github/workflows/CI-DOCS.yml:
 * Improved hardening

Changes in file .github/workflows/CI-MATs.yml:
 * Improved hardening

Changes in file .github/workflows/Tests.yml:
 * Improved hardening

Author: reactive-firewall

.github/actions/check-control/action.yml

@@ -107,12 +107,14 @@ runs:
   using: composite
   steps:
     - id: output_sha
-      if: ${{ !cancelled() }}
+      if: ${{ (github.repository == 'reactive-firewall-org/multicast') && !cancelled() }}
+      env:
+        CI_INPUT_TARGET_SHA: '${{ inputs.sha }}'
       shell: bash
       run: |
         set -euo pipefail
 
-        raw_input='${{ inputs.sha }}'
+        raw_input="${CI_INPUT_TARGET_SHA}"
 
         # Reject NUL or newline immediately
         if printf '%s' "$raw_input" | grep -q '[^[:print:]]'; then

.github/actions/checkout-and-rebuild/action.yml

@@ -72,9 +72,11 @@ runs:
         token: ${{ inputs.token }}
     - name: "Checkout Target Commit by SHA"
       shell: bash
+      env:
+        CI_INPUT_TARGET_SHA: ${{ inputs.sha }}
       run: |
         printf "%s\n" "::group::target-commit"
-        git checkout --force --detach ${{ inputs.sha }} --
+        git checkout --force --detach "${CI_INPUT_TARGET_SHA}" --
         printf "%s\n" "::endgroup::"
       if: ${{ (github.sha != inputs.sha) && success() }}
     - id: output_branch_name

.github/actions/run-minimal-acceptance-tests/action.yml

@@ -81,11 +81,13 @@ runs:
     - name: "Calculate Commit SHA"
       id: output_sha
       if: ${{ !cancelled() }}
+      env:
+        CI_INPUT_TARGET_SHA: '${{ inputs.sha }}'
       shell: bash
       run: |
         set -euo pipefail
 
-        raw_input='${{ inputs.sha }}'
+        raw_input="${CI_INPUT_TARGET_SHA}"
 
         # Reject NUL or newline immediately
         if printf '%s' "$raw_input" | grep -q '[^[:print:]]'; then

.github/actions/setup-py-reqs/action.yml

@@ -66,11 +66,13 @@ runs:
     - name: "Calculate Commit SHA"
       id: output_sha
       if: ${{ !cancelled() }}
+      env:
+        CI_INPUT_TARGET_SHA: '${{ inputs.sha }}'
       shell: bash
       run: |
         set -euo pipefail
 
-        raw_input='${{ inputs.sha }}'
+        raw_input="${CI_INPUT_TARGET_SHA}"
 
         # Reject NUL or newline immediately
         if printf '%s' "$raw_input" | grep -q '[^[:print:]]'; then

.github/workflows/CI-CHGLOG.yml

@@ -61,6 +61,7 @@ jobs:
             echo "should_run=true" >> "$GITHUB_OUTPUT"
           else
             echo "should_run=false" >> "$GITHUB_OUTPUT"
+            exit 1 ;
           fi
       - id: get_trigger_id
         if: ${{ (steps.check.outputs.should_run == 'true') && success() }}

.github/workflows/CI-DOCS.yml

@@ -58,6 +58,7 @@ jobs:
             echo "should_run=true" >> "$GITHUB_OUTPUT"
           else
             echo "should_run=false" >> "$GITHUB_OUTPUT"
+            exit 1 ;
           fi
       - id: get_trigger_id
         if: ${{ (steps.check.outputs.should_run == 'true') && success() }}

.github/workflows/CI-MATs.yml

@@ -65,9 +65,10 @@ jobs:
             echo "should_run=true" >> "$GITHUB_OUTPUT"
           else
             echo "should_run=false" >> "$GITHUB_OUTPUT"
+            exit 1 ;
           fi
       - id: get_trigger_id
-        if: ${{ (steps.check.outputs.should_run == 'true') && success() }}
+        if: ${{ (github.repository == 'reactive-firewall-org/multicast') && (steps.check.outputs.should_run == 'true') && success() }}
         run: |
           ID_VALUE=$(gh api "${{ github.event.workflow_run.url }}" --jq '.id')
           if [[ -n "$ID_VALUE" ]]; then
@@ -106,6 +107,8 @@ jobs:
           persist-credentials: false
           ref: ${{ steps.load_build_info.outputs.build_sha }}
           fetch-depth: 0
+          repository: reactive-firewall-org/multicast
+          token: ${{ env.GH_TOKEN }}
       - name: "Queue MATs GitHub Check"
         id: output_mats_check_id
         uses: ./.github/actions/check-control
@@ -118,10 +121,10 @@ jobs:
           workflow-run-id: ${{ steps.output_run_id.outputs.mats_id }}
           details-url: ${{ steps.output_run_id.outputs.mats_url }}
       - name: Checkout target commit
-        if: ${{ (steps.check.outputs.should_run == 'true') && success() }}
+        if: ${{ (github.repository == 'reactive-firewall-org/multicast') && (steps.check.outputs.should_run == 'true') && success() }}
         run: git checkout ${{ steps.load_build_info.outputs.build_sha }}
       - id: get_env
-        if: ${{ (steps.check.outputs.should_run == 'true') && success() }}
+        if: ${{ (github.repository == 'reactive-firewall-org/multicast') && (steps.check.outputs.should_run == 'true') && success() }}
         run: |
           echo "branch=$(git name-rev --name-only $(git log -1 --format=%H) | cut -d~ -f1-1)" >> "$GITHUB_OUTPUT"
           echo "parent_sha=$(git merge-base $(git log -1 --format=%H) refs/remotes/origin/stable)" >> "$GITHUB_OUTPUT"

.github/workflows/Tests.yml

@@ -82,6 +82,7 @@ jobs:
             echo "should_run=true" >> "$GITHUB_OUTPUT"
           else
             echo "should_run=false" >> "$GITHUB_OUTPUT"
+            exit 1 ;
           fi
       - id: get_trigger_id
         if: ${{ (steps.check.outputs.should_run == 'true') && success() }}
@@ -123,6 +124,8 @@ jobs:
           persist-credentials: false
           ref: ${{ steps.load_build_info.outputs.build_sha }}
           sparse-checkout: '.github/actions/check-control'
+          repository: reactive-firewall-org/multicast
+          github-token: ${{ env.GH_TOKEN }}
       - name: "Queue Tests GitHub Check"
         id: output_tests_check_id
         uses: ./.github/actions/check-control