security: harden release workflow and declare workflow_call secrets (#487)

* security: harden release workflow and declare workflow_call secrets

- Replace actions/checkout v4.3.1 with v6.0.3 and switch from PERSONAL_ACCESS_TOKEN to GITHUB_TOKEN
- Fix script injection in Download CLI, Tag, Update POM, Build artifactId, and Publish steps by moving inputs to env vars
- Replace deprecated ::set-output with $GITHUB_OUTPUT in Tag step
- Update actions/setup-java v4.3.0 to v5.2.0
- Add explicit secrets declaration for workflow_call (MAVEN_GPG_PASSPHRASE, MAVEN_GPG_PRIVATE_KEY, OSSRH_TOKEN, OSSRH_USERNAME)
- Fix broken shell conditional in Build artifactId property step

* chore(gha): harden GitHub Actions workflows security

* chore(gha): disable nightly trigger and remove pr-labeler workflow

* chore(gha): configure echo mirror for Maven dependency resolution

Author: cx-luis-ventuzelos

.github/workflows/auto-merge-pr.yml

@@ -0,0 +1,30 @@
+name: Checkmarx One Scan
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: "00 7 * * *" # Every day at 07:00
+
+permissions:
+  contents: read
+
+jobs:
+  cx-scan:
+    name: Checkmarx One Scan
+    permissions:
+      contents: read
+    runs-on: cx-public-ubuntu-x64
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Checkmarx One CLI Action
+        uses: checkmarx/ast-github-action@ef93013c95adc60160bc22060875e90800d3ecfc #v.2.3.19
+        with:
+          base_uri: ${{ secrets.AST_RND_SCANS_BASE_URI }}
+          cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }}
+          cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }}
+          cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }}
+          additional_params: --tags sypher --threshold "sca-critical=1;sca-high=1;sca-medium=1;sca-low=1;sast-critical=1;sast-high=1;sast-medium=1;sast-low=1;iac-security-critical=1;iac-security-high=1;iac-security-medium=1;iac-security-low=1"

.github/workflows/checkmarx-one-scan.yml

@@ -2,14 +2,19 @@ name: AST Java Wrapper CI
 
 on: [ pull_request ]
 
+permissions:
+  contents: read
+
 jobs:
   integration-tests:
+    permissions:
+      contents: read
     runs-on: cx-public-ubuntu-x64
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
-          token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           lfs: true
 
       - name: Install Git LFS
@@ -27,6 +32,10 @@ jobs:
           distribution: 'temurin'
           java-version: '11'
 
+      - name: Configure echo mirror for dependency resolution
+        run: |
+          sed -i 's|</settings>|<mirrors><mirror><id>echo</id><mirrorOf>central</mirrorOf><url>https://maven.echohq.com</url></mirror></mirrors></settings>|' ~/.m2/settings.xml
+
       - name: Check existence of cx-linux binary
         run: |
           if [ ! -f "src/main/resources/cx-linux" ]; then

.github/workflows/ci.yml

@@ -19,14 +19,17 @@ jobs:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
-          token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
       - name: Tag
+        env:
+          INPUT_TAG: ${{ github.event.inputs.tag }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          PR_TITLE: ${{ github.event.pull_request.title }}
         run: |
-          echo ${{ github.event.inputs.tag }}
-          echo "NEXT_VERSION=${{ github.event.inputs.tag }}" >> $GITHUB_ENV
-          tag=${{ github.event.inputs.tag }}
-          message='${{ github.event.inputs.tag }}: PR #${{ github.event.pull_request.number }} ${{ github.event.pull_request.title }}'
+          echo "$INPUT_TAG"
+          echo "NEXT_VERSION=$INPUT_TAG" >> $GITHUB_ENV
+          message="$INPUT_TAG: PR #$PR_NUMBER $PR_TITLE"
           git config user.name "${GITHUB_ACTOR}"
           git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
-          git tag -a "${tag}" -m "${message}"
-          git push origin "${tag}"
+          git tag -a "$INPUT_TAG" -m "$message"
+          git push origin "$INPUT_TAG"

.github/workflows/manual-tag.yml

@@ -1,9 +1,10 @@
 name: Nightly Release
 
 on:
-  push:
-    branches:
-      - main
+  workflow_dispatch: # push disabled — re-enable when nightly is ready
+  # push:
+  #   branches:
+  #     - main
 
 permissions:
   contents: read
@@ -22,9 +23,13 @@ jobs:
 
   nightly:
     needs: delete_tag
-    uses: Checkmarx/ast-cli-java-wrapper/.github/workflows/release.yml@main
+    uses: ./.github/workflows/release.yml
     with:
       tag: "1.0.0-SNAPSHOT"
       dev: true
       cliTag: "2.0.0-nightly"
-    secrets: inherit
+    secrets:
+      MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
+      MAVEN_GPG_PRIVATE_KEY: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }}
+      OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }}
+      OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}

.github/workflows/nightly.yml

@@ -41,6 +41,15 @@ on:
         required: false
         default: false
         type: boolean
+    secrets:
+      MAVEN_GPG_PASSPHRASE:
+        required: true
+      MAVEN_GPG_PRIVATE_KEY:
+        required: true
+      OSSRH_TOKEN:
+        required: true
+      OSSRH_USERNAME:
+        required: true
 
 permissions:
   contents: read
@@ -56,16 +65,18 @@ jobs:
       TAG_NAME: ${{ steps.set_tag_name.outputs.TAG_NAME }}
     steps:
       - name: Checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
-          token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           lfs: true
 
       - name: Download CLI
         if: inputs.cliTag
+        env:
+          INPUT_CLI_TAG: ${{ inputs.cliTag }}
         run: |
           chmod +x ./.github/scripts/update_cli.sh
-          ./.github/scripts/update_cli.sh ${{ inputs.cliTag }}
+          ./.github/scripts/update_cli.sh "$INPUT_CLI_TAG"
 
       - name: Extract CLI version
         id: extract_cli_version
@@ -92,19 +103,19 @@ jobs:
 
       - name: Tag
         id: set_tag_name
+        env:
+          INPUT_TAG: ${{ inputs.tag }}
         run: |
-          echo ${{ inputs.tag }}
-          tag=${{ inputs.tag }}
-          echo "RELEASE_VERSION=${{ inputs.tag }}" >> $GITHUB_ENV
-          message='${{ inputs.tag }}'
+          echo "$INPUT_TAG"
+          echo "RELEASE_VERSION=$INPUT_TAG" >> $GITHUB_ENV
           git config user.name "${GITHUB_ACTOR}"
           git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
-          git tag -a "${tag}" -m "${message}"
-          git push origin "${tag}"
-          echo "TAG_NAME=${{ inputs.tag }}" >> $GITHUB_OUTPUT
+          git tag -a "$INPUT_TAG" -m "$INPUT_TAG"
+          git push origin "$INPUT_TAG"
+          echo "TAG_NAME=$INPUT_TAG" >> $GITHUB_OUTPUT
 
       - name: Set up Maven Central Repository
-        uses: actions/setup-java@2dfa2011c5b2a0f1489bf9e433881c92c1631f88 # v4.3.0
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
         with:
           java-version: '11'
           distribution: 'temurin'
@@ -114,20 +125,27 @@ jobs:
           gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }}
           gpg-passphrase: MAVEN_GPG_PASSPHRASE
 
+      - name: Configure echo mirror for dependency resolution
+        run: |
+          sed -i 's|</settings>|<mirrors><mirror><id>echo</id><mirrorOf>central</mirrorOf><url>https://maven.echohq.com</url></mirror></mirrors></settings>|' ~/.m2/settings.xml
+
       - name: Update the POM version.
-        run: mvn -B versions:set -DnewVersion='${{ env.RELEASE_VERSION }}' --file pom.xml -DskipTests
+        run: mvn -B versions:set -DnewVersion="$RELEASE_VERSION" --file pom.xml -DskipTests
 
       - name: Build artifactId property
+        env:
+          INPUT_DEV: ${{ inputs.dev }}
+          INPUT_TAG: ${{ inputs.tag }}
         run: |
           prop=''
-          if [ ${{ inputs.dev }} = true ] && ![ "${{ inputs.tag }}" = "1.0.0-SNAPSHOT" ]; then
+          if [ "$INPUT_DEV" = "true" ] && [ "$INPUT_TAG" != "1.0.0-SNAPSHOT" ]; then
             prop='-Dast.wrapper.id=ast-cli-java-wrapper-dev'
           fi
           echo "AID_PROP=${prop}" >> $GITHUB_ENV
 
       - name: Publish package
         if: inputs.publish == true
-        run: mvn --batch-mode deploy -DskipTests ${{ env.AID_PROP }}
+        run: mvn --batch-mode deploy -DskipTests $AID_PROP
         env:
           MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }}
           MAVEN_PASSWORD: ${{ secrets.OSSRH_TOKEN }}

.github/workflows/pr-label.yml

@@ -38,14 +38,16 @@ jobs:
           RELEASE_TAG: ${{ steps.checkmarx-ast-cli.outputs.release_tag }}
         run: |
           # Update current release
-          echo ${{ steps.checkmarx-ast-cli.outputs.release_tag }} > checkmarx-ast-cli.version
+          echo "$RELEASE_TAG" > checkmarx-ast-cli.version
 
       - name: Download latest cli and update branch
         if: steps.checkmarx-ast-cli.outputs.current_tag != steps.checkmarx-ast-cli.outputs.release_tag
+        env:
+          RELEASE_TAG: ${{ steps.checkmarx-ast-cli.outputs.release_tag }}
         run: |
           # Update binaries
           chmod +x ./.github/scripts/update_cli.sh
-          ./.github/scripts/update_cli.sh ${{ steps.checkmarx-ast-cli.outputs.release_tag }}
+          ./.github/scripts/update_cli.sh "$RELEASE_TAG"
 
       - name: Track large files with Git LFS
         if: steps.checkmarx-ast-cli.outputs.current_tag != steps.checkmarx-ast-cli.outputs.release_tag