fix zizmor-flagged workflow security issues

hu-ahmed · hu-ahmed · commit f32fc7753442 · 2026-04-20T17:24:07.000+02:00
diff --git a/.github/workflows/docker-nightly.yml b/.github/workflows/docker-nightly.yml
@@ -28,6 +28,8 @@ jobs:
       -
         name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       -
         name: Set up QEMU
         uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml
@@ -35,6 +35,8 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Use Node.js 18.x
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
diff --git a/.github/workflows/helm-chart-release.yml b/.github/workflows/helm-chart-release.yml
@@ -33,6 +33,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Helm
         uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
@@ -45,11 +46,15 @@ jobs:
 
       - name: Helm | Package
         shell: bash
-        run: helm package deployment/helm/ditto --dependency-update --version ${{ inputs.chartVersion }}
+        env:
+          CHART_VERSION: ${{ inputs.chartVersion }}
+        run: helm package deployment/helm/ditto --dependency-update --version "$CHART_VERSION"
 
       - name: Helm | Push
         shell: bash
-        run: helm push ditto-${{ inputs.chartVersion }}.tgz oci://registry-1.docker.io/eclipse
+        env:
+          CHART_VERSION: ${{ inputs.chartVersion }}
+        run: helm push "ditto-${CHART_VERSION}.tgz" oci://registry-1.docker.io/eclipse
 
       - name: Helm | Logout
         shell: bash
@@ -58,4 +63,6 @@ jobs:
       - name: Helm | Output
         id: output
         shell: bash
-        run: echo "image=registry-1.docker.io/eclipse/ditto:${{ inputs.chartVersion }}" >> $GITHUB_OUTPUT
+        env:
+          CHART_VERSION: ${{ inputs.chartVersion }}
+        run: echo "image=registry-1.docker.io/eclipse/ditto:${CHART_VERSION}" >> $GITHUB_OUTPUT
diff --git a/.github/workflows/helm-chart.yml b/.github/workflows/helm-chart.yml
@@ -36,6 +36,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Set up Helm
         uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
         with:
@@ -50,14 +51,20 @@ jobs:
           version: ${{ env.VERSION_CHART_TESTING }}
       - name: Run chart-testing (list-changed)
         id: list-changed
+        env:
+          CT_CONFIG: ${{ env.CONFIG_OPTION_CHART_TESTING }}
+          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
         run: |
-          changed=$(ct list-changed ${{ env.CONFIG_OPTION_CHART_TESTING }} --target-branch ${{ github.event.repository.default_branch }})
+          changed=$(ct list-changed $CT_CONFIG --target-branch "$DEFAULT_BRANCH")
           if [[ -n "$changed" ]]; then
             echo "changed=true" >> "$GITHUB_OUTPUT"
           fi
       - name: Run chart-testing (lint)
         if: steps.list-changed.outputs.changed == 'true'
-        run: ct lint ${{ env.CONFIG_OPTION_CHART_TESTING }} --target-branch ${{ github.event.repository.default_branch }}
+        env:
+          CT_CONFIG: ${{ env.CONFIG_OPTION_CHART_TESTING }}
+          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+        run: ct lint $CT_CONFIG --target-branch "$DEFAULT_BRANCH"
 
   kubeval-chart:
     runs-on: ubuntu-latest
@@ -79,6 +86,8 @@ jobs:
 
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Fetch history for chart testing
         run: git fetch --prune --unshallow
       - name: Set up Helm
@@ -113,6 +122,8 @@ jobs:
 
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Fetch history for chart testing
         run: git fetch --prune --unshallow
       - name: Set up Helm
@@ -129,8 +140,11 @@ jobs:
           version: ${{ env.VERSION_CHART_TESTING }}
       - name: Run chart-testing (list-changed)
         id: list-changed
+        env:
+          CT_CONFIG: ${{ env.CONFIG_OPTION_CHART_TESTING }}
+          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
         run: |
-          changed=$(ct list-changed ${{ env.CONFIG_OPTION_CHART_TESTING }} --target-branch ${{ github.event.repository.default_branch }})
+          changed=$(ct list-changed $CT_CONFIG --target-branch "$DEFAULT_BRANCH")
           if [[ -n "$changed" ]]; then
             echo "changed=true" >> "$GITHUB_OUTPUT"
           fi
@@ -141,4 +155,7 @@ jobs:
           node_image: kindest/node:${{ matrix.k8s }}
       - name: Run chart-testing (install)
         if: steps.list-changed.outputs.changed == 'true'
-        run: ct install ${{ env.CONFIG_OPTION_CHART_TESTING }} --target-branch ${{ github.event.repository.default_branch }}
+        env:
+          CT_CONFIG: ${{ env.CONFIG_OPTION_CHART_TESTING }}
+          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+        run: ct install $CT_CONFIG --target-branch "$DEFAULT_BRANCH"
diff --git a/.github/workflows/license-check.yml b/.github/workflows/license-check.yml
@@ -24,6 +24,8 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: jitterbit/get-changed-files@b17fbb00bdc0c0f63fcf166580804b4d2cdc2a42 # v1
         id: the-files
         continue-on-error: true
diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
@@ -39,6 +39,8 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up JDK 25
         uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
diff --git a/.github/workflows/push-dockerhub-on-demand.yml b/.github/workflows/push-dockerhub-on-demand.yml
@@ -42,6 +42,8 @@ jobs:
       -
         name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       -
         name: Set up QEMU
         uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
@@ -66,11 +68,13 @@ jobs:
       -
         name: Branch name
         id: branch_name
+        env:
+          DITTO_VERSION_INPUT: ${{ inputs.dittoVersion }}
         run: |
-          echo "IMAGE_TAG=${{ inputs.dittoVersion }}" >> $GITHUB_ENV
-          echo "IMAGE_MINOR_TAG=$(echo ${{ inputs.dittoVersion }} | cut -d. -f-2)" >> $GITHUB_ENV
-          echo "IMAGE_MAJOR_TAG=$(echo ${{ inputs.dittoVersion }} | cut -d. -f-1)" >> $GITHUB_ENV
-          echo "MILESTONE_OR_RC_SUFFIX=$(echo ${{ inputs.dittoVersion }} | cut -d- -f2)" >> $GITHUB_ENV
+          echo "IMAGE_TAG=$DITTO_VERSION_INPUT" >> $GITHUB_ENV
+          echo "IMAGE_MINOR_TAG=$(echo "$DITTO_VERSION_INPUT" | cut -d. -f-2)" >> $GITHUB_ENV
+          echo "IMAGE_MAJOR_TAG=$(echo "$DITTO_VERSION_INPUT" | cut -d. -f-1)" >> $GITHUB_ENV
+          echo "MILESTONE_OR_RC_SUFFIX=$(echo "$DITTO_VERSION_INPUT" | cut -d- -f2)" >> $GITHUB_ENV
       -
         name: Building Docker images for tag
         run: |
diff --git a/.github/workflows/push-dockerhub.yml b/.github/workflows/push-dockerhub.yml
@@ -27,6 +27,8 @@ jobs:
       -
         name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       -
         name: Set up QEMU
         uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
diff --git a/.github/workflows/system-tests.yml b/.github/workflows/system-tests.yml
@@ -98,6 +98,7 @@ jobs:
           ref: ${{ env.DITTO_BRANCH }}
           token: ${{ secrets.GITHUB_TOKEN }}
           path: ditto
+          persist-credentials: false
 
       - name: Checkout ditto-testing repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -106,6 +107,7 @@ jobs:
           ref: ${{ env.DITTO_TESTING_BRANCH }}
           token: ${{ secrets.GITHUB_TOKEN }}
           path: ditto-testing
+          persist-credentials: false
 
       - name: Checkout ditto-clients repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -114,6 +116,7 @@ jobs:
           ref: 'master'
           token: ${{ secrets.GITHUB_TOKEN }}
           path: ditto-clients
+          persist-credentials: false
 
       - name: Set up JDK 25
         uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3.14.1
diff --git a/.github/workflows/ui-ci.yml b/.github/workflows/ui-ci.yml
@@ -32,6 +32,8 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Use Node.js 18.x
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -43,11 +43,9 @@ jobs:
         with:
           persist-credentials: false
 
-      # Advisory mode: findings are uploaded to the GitHub Security tab via
-      # SARIF (advanced-security: true by default in the action) but do NOT
-      # fail the build. Existing findings (permissions, template-injection,
-      # etc.) will be addressed in follow-up PRs. Once cleaned up, remove
-      # continue-on-error to make this a gating check.
+      # Gating check: SARIF findings are uploaded to the GitHub Security tab
+      # (advanced-security: true by default in the action) AND fail the build.
+      # If new findings appear from legitimate workflow changes, fix them or
+      # add a scoped `# zizmor: ignore[<rule>]` comment with justification.
       - name: Run zizmor
-        continue-on-error: true
         uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,33 @@
+# Copyright (c) 2026 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+# zizmor configuration — scoped suppressions with written justification.
+# https://docs.zizmor.sh/configuration/
+#
+# This file lists findings we have knowingly accepted. Every entry must be
+# justified. Do NOT add new entries without a comment explaining the reason.
+
+rules:
+  cache-poisoning:
+    ignore:
+      # PR/build-validation workflows: run on pull_request and push to master
+      # but do NOT publish artifacts to any registry. A poisoned cache cannot
+      # leak into released images because these workflows don't build images.
+      - maven.yml
+      - ui-ci.yml
+
+      # Release/publish workflows: setup-node is invoked without a `cache:`
+      # input, so caching is not enabled on this step. Zizmor flags the
+      # action defensively because it is cache-capable; the actual runtime
+      # behaviour does not populate or restore any cache here.
+      - docker-nightly.yml
+      - push-dockerhub.yml
+      - push-dockerhub-on-demand.yml

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,8 @@ jobs:`
`28`	`28`	`-`
`29`	`29`	`name: Checkout`
`30`	`30`	`uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2`
	`31`	`+ with:`
	`32`	`+ persist-credentials: false`
`31`	`33`	`-`
`32`	`34`	`name: Set up QEMU`
`33`	`35`	`uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0`
Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,8 @@ jobs:`
`27`	`27`	`-`
`28`	`28`	`name: Checkout`
`29`	`29`	`uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2`
	`30`	`+ with:`
	`31`	`+ persist-credentials: false`
`30`	`32`	`-`
`31`	`33`	`name: Set up QEMU`
`32`	`34`	`uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0`