chore: add additional security remediations (#4141)

* chore: add additional security remediations

Signed-off-by: Frank Kong <[email protected]>

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED

* chore: add artifact sanitization

Signed-off-by: Frank Kong <[email protected]>

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED

* chore: move permission to job level

Signed-off-by: Frank Kong <[email protected]>

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED

Author: Zaperex

.github/actions/check-image-and-changes/action.yaml

@@ -40,8 +40,7 @@ runs:
 
         # Check for [skip-build] tag in commit messages
         SKIP_BUILD_TAG=false
-        COMMIT_MESSAGES=$(git log --format=%B "$BASE_COMMIT"..HEAD)
-        if echo "$COMMIT_MESSAGES" | grep -q "\[skip-build\]"; then
+        if git log --format=%B "$BASE_COMMIT"..HEAD | grep -qF "[skip-build]"; then
           echo "Found [skip-build] tag in commit messages."
           SKIP_BUILD_TAG=true
         fi

.github/workflows/pr-1.8.yaml

@@ -36,6 +36,8 @@ jobs:
   build:
     name: Build with Node.js ${{ matrix.node-version }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         node-version: [22]
@@ -60,6 +62,8 @@ jobs:
       - name: Setup local Turbo cache
         if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
         uses: dtinth/setup-github-actions-caching-for-turbo@cc723b4600e40a6b8815b65701d8614b91e2669e # v1
+        with:
+          cache-prefix: turbogha-pr-${{ github.event.number }}
 
       - name: Use app-config.example.yaml
         if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
@@ -78,6 +82,8 @@ jobs:
   test:
     name: Test with Node.js ${{ matrix.node-version }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         node-version: [22]
@@ -101,6 +107,8 @@ jobs:
       - name: Setup local Turbo cache
         if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
         uses: dtinth/setup-github-actions-caching-for-turbo@cc723b4600e40a6b8815b65701d8614b91e2669e # v1
+        with:
+          cache-prefix: turbogha-pr-${{ github.event.number }}
 
       - name: Use app-config.example.yaml
         if: ${{ steps.check-image.outputs.is_skipped != 'true' }}

.github/workflows/pr-build-image.yaml

@@ -16,6 +16,7 @@ name: PR Build Image (Hermetic)
 
 on:
   pull_request:
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.number || github.event.pull_request.head.ref }}
   cancel-in-progress: true
@@ -28,7 +29,8 @@ jobs:
   build-image:
     name: Build Image
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
@@ -65,8 +67,8 @@ jobs:
         if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
         run: |
           git remote add base-origin https://github.com/${{ github.repository }} || true
-          git config user.name "${{ github.event.pull_request.user.login }}"
-          git config user.email "${{ github.event.pull_request.user.email }}"
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
           echo "Updating PR with latest commits from ${{ github.event.pull_request.base.ref }} ..."
           git fetch base-origin ${{ github.event.pull_request.base.ref }}
           git merge --no-edit base-origin/${{ github.event.pull_request.base.ref }}

.github/workflows/pr-podman-push.yaml

@@ -79,12 +79,21 @@ jobs:
         id: check-skip
         run: |
           if [ -f "./rhdh-skip-artifacts/isSkipped.txt" ]; then
-            IS_SKIPPED=$(cat ./rhdh-skip-artifacts/isSkipped.txt)
-            echo "Found skip status: $IS_SKIPPED"
+            IS_SKIPPED_RAW=$(cat ./rhdh-skip-artifacts/isSkipped.txt)
+            
+            # Sanitize: Allow only 'true' or 'false', default to false if unknown to skip artifact download in case of injection
+            if [[ "$IS_SKIPPED_RAW" == "false" ]]; then
+              IS_SKIPPED="false"
+            else
+              IS_SKIPPED="true"
+            fi
+            
+            echo "Found skip status: $IS_SKIPPED_RAW"
+            echo "Sanitized skip status: $IS_SKIPPED"
             echo "is_skipped=$IS_SKIPPED" >> $GITHUB_OUTPUT
           else
-            echo "Skip status artifact not found, proceeding with push"
-            echo "is_skipped=false" >> $GITHUB_OUTPUT
+            echo "Skip status artifact not found, skipping push"
+            echo "is_skipped=true" >> $GITHUB_OUTPUT
           fi
 
       - name: Download Image Artifacts
@@ -117,12 +126,13 @@ jobs:
           podman images
           
           echo "Full tags from metadata:"
-          echo "$TAGS_LIST"
+          printf '%s\n' "$TAGS_LIST"
           
-          # Use a heredoc since TAGS_LIST contains newlines
-          echo "tags<<EOF" >> $GITHUB_OUTPUT
-          echo "$TAGS_LIST" >> $GITHUB_OUTPUT
-          echo "EOF" >> $GITHUB_OUTPUT
+          # SECURITY: Use a random delimiter to prevent output injection from artifact poisoning
+          DELIMITER=$(openssl rand -hex 16)
+          echo "tags<<$DELIMITER" >> $GITHUB_OUTPUT
+          printf '%s\n' "$TAGS_LIST" >> $GITHUB_OUTPUT
+          echo "$DELIMITER" >> $GITHUB_OUTPUT
 
       - name: Push Images
         if: ${{ steps.check-skip.outputs.is_skipped != 'true' }}

.github/workflows/pr.yaml

@@ -34,6 +34,8 @@ jobs:
   build:
     name: Build with Node.js ${{ matrix.node-version }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         node-version: [22]
@@ -58,6 +60,8 @@ jobs:
       - name: Setup local Turbo cache
         if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
         uses: dtinth/setup-github-actions-caching-for-turbo@cc723b4600e40a6b8815b65701d8614b91e2669e # v1
+        with:
+          cache-prefix: turbogha-pr-${{ github.event.number }}
 
       - name: Use app-config.example.yaml
         if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
@@ -76,6 +80,8 @@ jobs:
   test:
     name: Test with Node.js ${{ matrix.node-version }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         node-version: [22]
@@ -99,6 +105,8 @@ jobs:
       - name: Setup local Turbo cache
         if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
         uses: dtinth/setup-github-actions-caching-for-turbo@cc723b4600e40a6b8815b65701d8614b91e2669e # v1
+        with:
+          cache-prefix: turbogha-pr-${{ github.event.number }}
 
       - name: Use app-config.example.yaml
         if: ${{ steps.check-image.outputs.is_skipped != 'true' }}