chore(gha): harden GitHub Actions workflows security

cx-luis-ventuzelos · cx-luis-ventuzelos · commit 7e0901ccfec1 · 2026-06-22T12:02:04.000+01:00
diff --git a/.github/workflows/auto-merge-pr.yml b/.github/workflows/auto-merge-pr.yml
diff --git a/.github/workflows/checkmarx-one-scan.yml b/.github/workflows/checkmarx-one-scan.yml
@@ -0,0 +1,30 @@
+name: Checkmarx One Scan
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: "00 7 * * *" # Every day at 07:00
+
+permissions:
+  contents: read
+
+jobs:
+  cx-scan:
+    name: Checkmarx One Scan
+    permissions:
+      contents: read
+    runs-on: cx-public-ubuntu-x64
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Checkmarx One CLI Action
+        uses: checkmarx/ast-github-action@ef93013c95adc60160bc22060875e90800d3ecfc #v.2.3.19
+        with:
+          base_uri: ${{ secrets.AST_RND_SCANS_BASE_URI }}
+          cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }}
+          cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }}
+          cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }}
+          additional_params: --tags sypher --threshold "sca-critical=1;sca-high=1;sca-medium=1;sca-low=1;sast-critical=1;sast-high=1;sast-medium=1;sast-low=1;iac-security-critical=1;iac-security-high=1;iac-security-medium=1;iac-security-low=1"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -2,14 +2,19 @@ name: AST Java Wrapper CI
 
 on: [ pull_request ]
 
+permissions:
+  contents: read
+
 jobs:
   integration-tests:
+    permissions:
+      contents: read
     runs-on: cx-public-ubuntu-x64
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
-          token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           lfs: true
 
       - name: Install Git LFS
diff --git a/.github/workflows/manual-tag.yml b/.github/workflows/manual-tag.yml
@@ -19,14 +19,17 @@ jobs:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
-          token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
       - name: Tag
+        env:
+          INPUT_TAG: ${{ github.event.inputs.tag }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          PR_TITLE: ${{ github.event.pull_request.title }}
         run: |
-          echo ${{ github.event.inputs.tag }}
-          echo "NEXT_VERSION=${{ github.event.inputs.tag }}" >> $GITHUB_ENV
-          tag=${{ github.event.inputs.tag }}
-          message='${{ github.event.inputs.tag }}: PR #${{ github.event.pull_request.number }} ${{ github.event.pull_request.title }}'
+          echo "$INPUT_TAG"
+          echo "NEXT_VERSION=$INPUT_TAG" >> $GITHUB_ENV
+          message="$INPUT_TAG: PR #$PR_NUMBER $PR_TITLE"
           git config user.name "${GITHUB_ACTOR}"
           git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
-          git tag -a "${tag}" -m "${message}"
-          git push origin "${tag}"
+          git tag -a "$INPUT_TAG" -m "$message"
+          git push origin "$INPUT_TAG"
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -22,9 +22,13 @@ jobs:
 
   nightly:
     needs: delete_tag
-    uses: Checkmarx/ast-cli-java-wrapper/.github/workflows/release.yml@main
+    uses: ./.github/workflows/release.yml
     with:
       tag: "1.0.0-SNAPSHOT"
       dev: true
       cliTag: "2.0.0-nightly"
-    secrets: inherit
+    secrets:
+      MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
+      MAVEN_GPG_PRIVATE_KEY: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }}
+      OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }}
+      OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
diff --git a/.github/workflows/pr-label.yml b/.github/workflows/pr-label.yml
@@ -9,11 +9,12 @@ permissions:
 jobs:
   pr-labeler:
     permissions:
-      pull-requests: write  # for TimonVS/pr-labeler-action to add labels in PR
+      pull-requests: write
     runs-on: cx-public-ubuntu-x64
     steps:
-      - uses: TimonVS/pr-labeler-action@f9c084306ce8b3f488a8f3ee1ccedc6da131d1af #v5
-        with:
-          configuration-path: .github/pr-labeler.yml # optional, .github/pr-labeler.yml is the default value
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      # - uses: TimonVS/pr-labeler-action@f9c084306ce8b3f488a8f3ee1ccedc6da131d1af #v5
+      #   with:
+      #     configuration-path: .github/pr-labeler.yml
+      #   env:
+      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - run: echo "pr-labeler disabled"
diff --git a/.github/workflows/update-cli.yml b/.github/workflows/update-cli.yml
@@ -38,14 +38,16 @@ jobs:
           RELEASE_TAG: ${{ steps.checkmarx-ast-cli.outputs.release_tag }}
         run: |
           # Update current release
-          echo ${{ steps.checkmarx-ast-cli.outputs.release_tag }} > checkmarx-ast-cli.version
+          echo "$RELEASE_TAG" > checkmarx-ast-cli.version
 
       - name: Download latest cli and update branch
         if: steps.checkmarx-ast-cli.outputs.current_tag != steps.checkmarx-ast-cli.outputs.release_tag
+        env:
+          RELEASE_TAG: ${{ steps.checkmarx-ast-cli.outputs.release_tag }}
         run: |
           # Update binaries
           chmod +x ./.github/scripts/update_cli.sh
-          ./.github/scripts/update_cli.sh ${{ steps.checkmarx-ast-cli.outputs.release_tag }}
+          ./.github/scripts/update_cli.sh "$RELEASE_TAG"
 
       - name: Track large files with Git LFS
         if: steps.checkmarx-ast-cli.outputs.current_tag != steps.checkmarx-ast-cli.outputs.release_tag
