fix: template injection vulns and excessive permissions in workflows

[Vombato]

Summary by CodeRabbit

• Chores
  • Switched tag handling to use an intermediate environment variable before exporting the computed release/tag value.
  • Reduced and tightened CI permissions: removed unnecessary global write rights and adjusted entries for workflows.
  • Scoped some permissions to individual jobs (instead of globally) to improve security and maintainability of CI/CD pipelines.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e03d86bb-4939-46b4-bb1d-a5e962bd1e2c

📥 Commits

Reviewing files that changed from the base of the PR and between 62edd87 and e04a44b.

📒 Files selected for processing (1)

• .github/workflows/publish-test-results.yml

---

📝 Walkthrough

Walkthrough

Moved computed tag expressions into environment variables (LATEST_TAG, RELEASE_TAG) before emitting to GITHUB_OUTPUT and reduced/tightened GitHub Actions permissions by removing or scoping down id-token, packages, and pull-requests write access across multiple workflows.

Changes

Cohort / File(s)	Summary
Tag variable handling \.github/workflows/on-main.yml, \.github/workflows/on-release.yml	Computed tag values are assigned to env vars (LATEST_TAG, RELEASE_TAG) and then echoed to GITHUB_OUTPUT; tag comparisons updated to use the env var.
Permissions and scope adjustments \.github/workflows/publish-test-results.yml, \.github/workflows/test.yml, \.github/workflows/on-release.yml	Global permissions reduced: removed id-token: write and packages: write; moved pages: write and id-token: write to the publish-test-reports job; release workflow lowered contents scope and removed pull-requests: write.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• nawfal-labrahmi

Poem

🐰
I nudged the tags into a cozy nest,
Whispered outputs, then trimmed excess vest,
Permissions pruned with gentle cheer,
CI hops lighter, skies more clear,
A tiny carrot — workflow blessed.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: addressing template injection vulnerabilities and reducing excessive permissions in GitHub workflows across multiple files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/worlfow-vuln-fixes

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[daithihearn]

Approved @Vombato but there is a conflict the needs to be resolved

[github-actions]

📦 Snapshot Published

org.vechain:indexer-core:pr.99.0c2ff79-SNAPSHOT

Usage

Add the GitHub Packages repository to your build.gradle.kts:

repositories {
    maven {
        url = uri("https://maven.pkg.github.com/vechain/indexer-core")
        credentials {
            username = findProperty("gpr.user") as String? ?: System.getenv("GITHUB_ACTOR")
            password = findProperty("gpr.key") as String? ?: System.getenv("GITHUB_TOKEN")
        }
    }
}

Then use the dependency:

implementation("org.vechain:indexer-core:pr.99.0c2ff79-SNAPSHOT")

Note: Requires a GitHub PAT with read:packages scope in ~/.gradle/gradle.properties:

gpr.user=YOUR_GITHUB_USERNAME
gpr.key=ghp_YOUR_TOKEN

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/publish-test-results.yml:
- Around line 11-13: The workflow's job-level permissions block currently lists
"pages: write" and "id-token: write" but omits "contents", causing
actions/checkout@v4 to fail; update the permissions block to include "contents:
read" alongside the existing "pages" and "id-token" entries so that checkout can
read repository contents (i.e., add the "contents: read" permission key in the
same permissions mapping).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 369b1bad-7b50-4578-9c4a-412972677b64

📥 Commits

Reviewing files that changed from the base of the PR and between fca1a90 and 62edd87.

📒 Files selected for processing (4)

• .github/workflows/on-main.yml
• .github/workflows/on-release.yml
• .github/workflows/publish-test-results.yml
• .github/workflows/test.yml

💤 Files with no reviewable changes (1)

• .github/workflows/test.yml

[Vombato]

@daithihearn conflicts solved, I also reduced permissions to the bare needed for the on-release.yml workflow.
Seems to be working here ok but let's keep an eye on it after merging.