workflows: improve security posture (#522)

caxu-rh · web-flow · commit f0e1f552a784 · 2025-08-27T14:59:41.000-05:00
- Pin actions used to a Git SHA-1 hash instead of a tag
- Don't persist credentials when using actions/checkout, except
  where needed (I did not find any places where it is needed)
- Use `gh` CLI to delete/recreate dev release instead of using
  third-party actions
- Use `gh` CLI to create tagged releases instead of using
  third-party actions
- Avoid cache usage when producing release artifacts (to prevent
  cache poisoning attacks)

Signed-off-by: Caleb Xu &lt;caxu@redhat.com&gt;
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -17,17 +17,20 @@ jobs:
 
         steps:
             - name: Checkout main branch
-              uses: actions/checkout@v4
+              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+              with:
+                persist-credentials: false
             
             - name: Checkout PR branch
-              uses: actions/checkout@v4
+              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
               with:
                 ref: ${{ github.event.pull_request.head.ref }}
                 repository: ${{ github.event.pull_request.head.repo.full_name }}
                 path: "chart-verifier"
+                persist-credentials: false
 
             - name: Setup Go
-              uses: actions/setup-go@v5
+              uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
               with:
                 go-version-file: ./chart-verifier/go.mod
                 
@@ -76,7 +79,7 @@ jobs:
                 echo "date=$(/bin/date -u "+%Y%m%d")" | tee -a $GITHUB_OUTPUT
               shell: bash
 
-            - uses: actions/cache@v4
+            - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
               id: cache
               with:
                   path: ./chart-verifier/oc
@@ -178,17 +181,21 @@ jobs:
                 # check if version file was changed
                 ve1/bin/release-checker --version="${PR_VERSION}"
 
+            # TODO: Investigate if it's possible to do this using the `gh` CLI tool instead of
+            # relying on a third-party action.
             - name: Approve PR
               id: approve_pr
               if: ${{ steps.check_version_updated.outputs.updated == 'true'}}
-              uses: hmarr/auto-approve-action@v4
+              uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 # v4.0.0
               with:
                   github-token: ${{ secrets.GITHUB_TOKEN }}
 
+            # TODO: Investigate if it's possible to do this using the `gh` CLI tool instead of
+            # relying on a third-party action.
             - name: Merge PR
               id: merge_pr
               if: ${{ steps.check_version_updated.outputs.updated == 'true'}}
-              uses: pascalgn/automerge-action@v0.16.3
+              uses: pascalgn/automerge-action@7961b8b5eec56cc088c140b56d864285eabd3f67 # v0.16.4
               env:
                 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
                 MERGE_METHOD: squash
@@ -202,10 +209,12 @@ jobs:
                 export ORIGIN_MAIN_SHA=$(git rev-parse origin/main)
                 echo "origin_main_sha=$ORIGIN_MAIN_SHA" | tee -a $GITHUB_OUTPUT
 
+            # TODO: Investigate if it's possible to do this using the `gh` CLI tool instead of
+            # relying on a third-party action.
             - name: Create release tag
               id: create_release_tag
               if: ${{ steps.check_version_updated.outputs.updated == 'true'}}
-              uses: mathieudutour/github-tag-action@v6.2
+              uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2
               with:
                 # It is necessary to use a Personal Access Token here rather than the usual GITHUB_TOKEN, as this
                 # step should trigger the release.yaml workflow, and events (such as tags) triggered by the
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -36,11 +36,13 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        persist-credentials: false
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3.29.8
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -65,12 +67,12 @@ jobs:
 
     - name: Perform CodeQL Analysis
       id: codeql_analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3.29.8
 
     - name: Send message to helm_dev slack channel
       id: notify_dev
       if: ${{ always() &&  github.event_name == 'schedule' && steps.codeql_analysis.conclusion != 'success' }}
-      uses: archive/github-actions-slack@v2.9.0
+      uses: archive/github-actions-slack@c643e5093620d65506466f2c9b317d5d29a5e517 # v2.10.1
       with:
         slack-bot-user-oauth-access-token: ${{ secrets.SLACK_BOT_USER_OAUTH_ACCESS_TOKEN }}
         slack-channel: C02979BDUPL
@@ -85,7 +87,7 @@ jobs:
     - name: Send message to helm_notify slack channel
       id: notify
       if: ${{ always() &&  github.event_name == 'schedule' && steps.codeql_analysis.conclusion == 'success' }}
-      uses: archive/github-actions-slack@v2.9.0
+      uses: archive/github-actions-slack@c643e5093620d65506466f2c9b317d5d29a5e517 # v2.10.1
       with:
         slack-bot-user-oauth-access-token: ${{ secrets.SLACK_BOT_USER_OAUTH_ACCESS_TOKEN }}
         slack-channel: C04K1ARMH8A
diff --git a/.github/workflows/dev_release.yaml b/.github/workflows/dev_release.yaml
@@ -19,10 +19,12 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - name: Checkout code
-              uses: actions/checkout@v4
+              uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+              with:
+                persist-credentials: false
 
             - name: Setup Go
-              uses: actions/setup-go@v5
+              uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
               with:
                 go-version-file: go.mod
 
@@ -47,30 +49,19 @@ jobs:
                 # check if release file only is included in PR
                 ve1/bin/tar-file --release="${DEV_RELEASE}"
 
-            - name: Delete previous release and tag
-              id: delete-previous
+            - name: Create development tag and release
               if: ${{ steps.create-tarfile.outcome == 'success' }}
-              uses: dev-drprasad/delete-tag-and-release@v1.1
-              with:
-                delete_release: true # default: false
-                tag_name: ${{ env.DEV_RELEASE }} # tag name to delete
-                github_token: ${{ secrets.GITHUB_TOKEN }}
-            
-              # The next step seems to periodically create a draft release.
-              # We think this is because of a race condition.
-              # Force a wait after the previous release was deleted.
-            - name: Sleep and to buffer release recreation
-              id: sleep-after-delete-previous
-              run: sleep 8
+              env:
+                GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+                TARBALL_FULL_NAME: ${{ steps.create-tarfile.outputs.tarball_full_name }}
+              run: |
+                gh release delete "${DEV_RELEASE}" --cleanup-tag --yes
 
-            - name: Create the release
-              id: create_release
-              if: ${{ steps.delete-previous.outcome == 'success' && steps.sleep-after-delete-previous.outcome == 'success' }}
-              uses: softprops/action-gh-release@v2
-              with:
-                tag_name: ${{ env.DEV_RELEASE }}
-                body: "Development release created with each merge into the main branch."
-                files: ${{ steps.create-tarfile.outputs.tarball_full_name }}
-                prerelease: true
-                draft: false
-                token: ${{ secrets.GITHUB_TOKEN }}
+                # The next step seems to periodically create a draft release.
+                # We think this is because of a race condition.
+                # Force a wait after the previous release was deleted.
+                sleep 8
+
+                gh release create "${DEV_RELEASE}" "${TARBALL_FULL_NAME}" \
+                  --notes "Development release created with each merge into the main branch." \
+                  --prerelease
diff --git a/.github/workflows/golang-style.yml b/.github/workflows/golang-style.yml
@@ -10,10 +10,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        persist-credentials: false
 
     - name: Setup Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
       with:
         go-version-file: go.mod
 
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -17,7 +17,9 @@ jobs:
       runs-on: ubuntu-latest
       steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Get commit ID
         id: get_commit_id
@@ -39,7 +41,7 @@ jobs:
 
       - name: Push to quay.io
         id: push_to_quay
-        uses: redhat-actions/push-to-registry@v2
+        uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8
         with:
           image: chart-verifier
           tags: |
diff --git a/.github/workflows/python-style.yml b/.github/workflows/python-style.yml
@@ -16,7 +16,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        persist-credentials: false
 
     - name: Set up Python
       uses: ./.github/actions/setup-python
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -41,15 +41,18 @@ jobs:
       id-token: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version-file: go.mod
+          cache: false
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
         with:
           cosign-release: 'v2.2.4'
 
@@ -89,7 +92,7 @@ jobs:
       - name: Generate SBOM
         continue-on-error: true
         id: generate_sbom
-        uses: anchore/sbom-action@v0
+        uses: anchore/sbom-action@7b36ad622f042cab6f59a75c2ac24ccb256e9b45 # v0.20.4
         with:
           # Setting path to null works around this bug:
           # https://github.com/anchore/sbom-action/issues/389
@@ -114,17 +117,18 @@ jobs:
         id: release_body
         run: echo "release_body=$(ve1/bin/print-release-body)" | tee -a $GITHUB_OUTPUT
 
-      - name: Create the release
-        id: create_release
-        uses: softprops/action-gh-release@v2
-        with:
-          tag_name: ${{ steps.get_tag.outputs.release_version }}
-          body: ${{ steps.release_body.outputs.release_body }}
-          files: |
-            ${{ steps.build_bin.outputs.tarball_path }}
-            ${{ steps.generate_sbom_filename.outputs.sbom_filename }}
+      - name: Create tag and release
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG_NAME: ${{ steps.get_tag.outputs.release_version }}
+          RELEASE_NOTES: ${{ steps.release_body.outputs.release_body }}
+          TARBALL_PATH: ${{ steps.build_bin.outputs.tarball_path }}
+          SBOM_FILENAME: ${{ steps.generate_sbom_filename.outputs.sbom_filename }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release create "${TAG_NAME}" \
+            "${TARBALL_PATH}" \
+            "${SBOM_FILENAME}" \
+            --notes "${RELEASE_NOTES}"
 
       - name: Build container images
         id: build_container_images
@@ -139,7 +143,7 @@ jobs:
 
       - name: Push to quay.io
         id: push_to_quay
-        uses: redhat-actions/push-to-registry@v2
+        uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8
         with:
           image: ${{ env.IMAGE_NAME }}
           tags: |
diff --git a/.github/workflows/scan-branch-sbom.yaml b/.github/workflows/scan-branch-sbom.yaml
@@ -17,9 +17,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
       - name: Generate SBOM
-        uses: anchore/sbom-action@v0
+        uses: anchore/sbom-action@7b36ad622f042cab6f59a75c2ac24ccb256e9b45 # v0.20.4
         with:
           # Setting path to null works around this bug:
           # https://github.com/anchore/sbom-action/issues/389
@@ -31,7 +33,7 @@ jobs:
           upload-release-assets: false
       - name: Scan SBOM
         id: scan
-        uses: anchore/scan-action@v3
+        uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1
         continue-on-error: true
         with:
           sbom: temporary.sbom.spdx.json
@@ -45,7 +47,7 @@ jobs:
       - name: Send message on scan failure
         id: notify
         if: ${{ steps.scan.outcome == 'failure' && inputs.notify-on-failure }}
-        uses: archive/github-actions-slack@v2.9.0
+        uses: archive/github-actions-slack@c643e5093620d65506466f2c9b317d5d29a5e517 # v2.10.1
         with:
           slack-bot-user-oauth-access-token: ${{ secrets.SLACK_BOT_USER_OAUTH_ACCESS_TOKEN }}
           slack-channel: C02979BDUPL
diff --git a/.github/workflows/vulnerability.yaml b/.github/workflows/vulnerability.yaml
@@ -12,7 +12,9 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Run Gosec Security Scanner
         run: |
@@ -26,7 +28,7 @@ jobs:
           fi
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3.29.8
         if: always()
         with:
           # Path to SARIF file relative to the root of the repository
