[SECURITY] Harden GitHub Workflows & Actions (#12)

* Pin actions and harden CI workflows

Pin GitHub Actions to specific SHAs and tighten workflow security/behavior. Key changes:

- Pin multiple actions to commit SHAs (checkout, create-github-app-token, github-script, setup-python, setup-uv, semantic PR linter, sticky comment, etc.) to ensure immutable behavior.
- Improve secret/input handling by exporting inputs into env vars (INPUTS_*) and using those in scripts so values can be masked safely (e.g., privateKey masking).
- Add persist-credentials: false for cross-repo checkout and use env-driven Black version install to avoid leaking inputs.
- Narrow job permissions and add explicit permissions where needed (pull-requests, issues, statuses, actions, security-events) with explanatory comments.
- Add concurrency groups to workflows to cancel in-progress runs for the same PR/ref and set an environment for the check-linked-issue job.

These changes improve reproducibility and security of the CI workflows and actions.

Signed-off-by: John McCall <john@overturemaps.org>

* use local refs

Signed-off-by: John McCall <john@overturemaps.org>

* Create dependabot.yml

Signed-off-by: John McCall <john@overturemaps.org>

---------

Signed-off-by: John McCall <john@overturemaps.org>

Author: lowlydba

.github/actions/check-linked-issue/action.yml

@@ -36,20 +36,22 @@ runs:
       shell: bash
       run: |
         echo "::group::Masking private key"
-        echo "::add-mask::${{ inputs.privateKey }}"
+        echo "::add-mask::${INPUTS_PRIVATEKEY}"
         echo "::endgroup::"
+      env:
+        INPUTS_PRIVATEKEY: ${{ inputs.privateKey }}
 
     - name: Generate GitHub App token
       id: app-token
       if: ${{ inputs.privateKey != '' }}
-      uses: actions/create-github-app-token@v1
+      uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
       with:
         app-id: ${{ inputs.appId }}
         private-key: ${{ inputs.privateKey }}
         owner: ${{ github.repository_owner }}
 
     - name: Check for linked issue via GraphQL
-      uses: actions/github-script@v7
+      uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
       with:
         github-token: ${{ steps.app-token.outputs.token || github.token }}
         script: |

.github/actions/generate-schema-docs/action.yml

@@ -35,11 +35,12 @@ runs:
     - name: Check out schema repo
       id: get-sha
       if: inputs.skip-checkout == 'false'
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         repository: OvertureMaps/schema
         ref: ${{ inputs.schema-ref }}
         path: ${{ inputs.schema-path }}
+        persist-credentials: false
 
     - name: Resolve schema SHA (skip-checkout true)
       id: get-sha-fallback
@@ -51,12 +52,12 @@ runs:
         echo "ref=$(git symbolic-ref --short HEAD 2>/dev/null || git rev-parse HEAD)" >> $GITHUB_OUTPUT
 
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version-file: ${{ inputs.schema-path }}/.python-version
 
     - name: Install uv
-      uses: astral-sh/setup-uv@v7
+      uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
 
     - name: Install schema packages
       shell: bash
@@ -66,4 +67,6 @@ runs:
     - name: Generate markdown docs
       shell: bash
       working-directory: ${{ inputs.schema-path }}
-      run: uv run overture-codegen generate --format markdown --output-dir "${{ inputs.output-dir }}"
+      run: uv run overture-codegen generate --format markdown --output-dir "${INPUTS_OUTPUT_DIR}"
+      env:
+        INPUTS_OUTPUT_DIR: ${{ inputs.output-dir }}

.github/actions/s5cmd/action.yml

@@ -64,10 +64,10 @@ runs:
     - name: Validate inputs
       shell: bash
       run: |
-        CMD="${{ inputs.command }}"
-        SRC="${{ inputs.source }}"
-        DST="${{ inputs.destination }}"
-        BATCH="${{ inputs.batch-file }}"
+        CMD="${INPUTS_COMMAND}"
+        SRC="${INPUTS_SOURCE}"
+        DST="${INPUTS_DESTINATION}"
+        BATCH="${INPUTS_BATCH_FILE}"
 
         case "$CMD" in
           cp|mv|rm|ls|sync|run) ;;
@@ -89,15 +89,20 @@ runs:
           echo "::error::'batch-file' is only valid with the 'run' command. Did you mean to use 'source'?"
           exit 1
         fi
+      env:
+        INPUTS_COMMAND: ${{ inputs.command }}
+        INPUTS_SOURCE: ${{ inputs.source }}
+        INPUTS_DESTINATION: ${{ inputs.destination }}
+        INPUTS_BATCH_FILE: ${{ inputs.batch-file }}
 
     - name: s5cmd ${{ inputs.command }}
       shell: bash
       run: |
-        CMD="${{ inputs.command }}"
-        SRC="${{ inputs.source }}"
-        DST="${{ inputs.destination }}"
-        BATCH="${{ inputs.batch-file }}"
-        FLAGS="${{ inputs.flags }}"
+        CMD="${INPUTS_COMMAND}"
+        SRC="${INPUTS_SOURCE}"
+        DST="${INPUTS_DESTINATION}"
+        BATCH="${INPUTS_BATCH_FILE}"
+        FLAGS="${INPUTS_FLAGS}"
 
         # Build argument array: global flags first, then subcommand, then positional args
         ARGS=()
@@ -119,3 +124,9 @@ runs:
 
         echo "Running: s5cmd ${ARGS[*]}"
         s5cmd "${ARGS[@]}"
+      env:
+        INPUTS_COMMAND: ${{ inputs.command }}
+        INPUTS_SOURCE: ${{ inputs.source }}
+        INPUTS_DESTINATION: ${{ inputs.destination }}
+        INPUTS_BATCH_FILE: ${{ inputs.batch-file }}
+        INPUTS_FLAGS: ${{ inputs.flags }}

.github/dependabot.yml

@@ -0,0 +1,17 @@
+---
+version: 2
+updates:
+
+  # Maintain GitHub Actions dependencies
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    labels:
+      - "bot"
+    commit-message:
+      prefix: "[CHORE](gha)"
+      include: "scope"
+    cooldown:
+      default-days: 7

.github/workflows/lint-python.yml

@@ -35,16 +35,23 @@ on:
 
 permissions:
   contents: read
-  pull-requests: write
 
 jobs:
   black:
+    name: Black Formatter
     runs-on: ubuntu-slim
+    permissions:
+      contents: read
+      pull-requests: write # to post Black formatting annotations on PRs
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Install Black
-        run: pip install black=="${{ inputs.black_version || '25.12.0' }}"
+        run: pip install "black==${BLACK_VERSION}"
+        env:
+          BLACK_VERSION: ${{ inputs.black_version || '25.12.0' }}
 
       - uses: reviewdog/action-black@644053a260402bc4278a865906107bd8aef7fae8 # v3.22.4
         with:

.github/workflows/omf_pr_checks.yml

@@ -10,29 +10,40 @@
 name: OMF PR Checks
 
 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers]
     types: [opened, reopened, edited, synchronize]
 
 # pull_request_target runs with write permissions so this workflow works for fork PRs.
 # SECURITY: This workflow must never check out or execute code from the PR branch.
 # If you need to add a step that does so, use the workflow_run pattern instead.
 permissions:
-  contents: none
-  issues: write
-  pull-requests: write
-  statuses: write
+  contents: none # no repository content access needed
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
 
 jobs:
 
   validate-pr-title:
     name: title
-    uses: OvertureMaps/workflows/.github/workflows/validate-pr-title.yml@main
+    permissions:
+      contents: none # no repository content access needed
+      pull-requests: write # to post PR title validation comments
+      issues: write # to post PR-related issue comments
+      statuses: write # to update commit status checks
+    uses: ./.github/workflows/validate-pr-title.yml
 
   check-linked-issue:
     name: issue
     runs-on: ubuntu-latest
+    environment: check-linked-issue-app
+    permissions:
+      contents: none # no repository content access needed
+      pull-requests: read # to query PR metadata and closing issue references
+      statuses: write # to update commit status checks
     steps:
       - name: Check for linked issue
-        uses: OvertureMaps/workflows/.github/actions/check-linked-issue@main
+        uses: ./.github/actions/check-linked-issue
         with:
           privateKey: ${{ secrets.CHECK_LINKED_ISSUE_APP_PEM }}

.github/workflows/omf_sec_checks.yml

@@ -19,14 +19,20 @@ on:
 
 permissions:
   contents: read
-  actions: read
-  security-events: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
 
   zizmor:
     name: zizmor
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read # to read workflow files for security auditing
+      security-events: write # to upload SARIF results to GitHub Advanced Security
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

.github/workflows/validate-pr-title.yml

@@ -23,7 +23,7 @@ name: Validate PR Title
 
 on:
   workflow_call:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers]
     types:
       - opened
       - reopened
@@ -34,17 +34,23 @@ on:
 # SECURITY: This workflow must never check out or execute code from the PR branch.
 # If you need to add a step that does so, use the workflow_run pattern instead.
 permissions:
-  contents: none
-  pull-requests: write
-  issues: write
-  statuses: write
+  contents: none # no repository content access needed
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
+  cancel-in-progress: true
 
 jobs:
   validate:
     name: Validate PR Title
     runs-on: ubuntu-latest
+    permissions:
+      contents: none # no repository content access needed
+      pull-requests: write # to post PR title validation comments
+      issues: write # to post PR-related issue comments via sticky comment action
+      statuses: write # to update commit status checks
     steps:
-      - uses: amannn/action-semantic-pull-request@v6
+      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
         id: lint_pr_title
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -79,7 +85,7 @@ jobs:
 
       - name: Post validation failure comment
         if: ${{ failure() && steps.lint_pr_title.outputs.error_message }}
-        uses: marocchino/sticky-pull-request-comment@v2
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
         with:
           header: pr-title-validation-error
           message: |
@@ -97,7 +103,7 @@ jobs:
 
       - name: Delete comment on success
         if: ${{ success() }}
-        uses: marocchino/sticky-pull-request-comment@v2
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
         with:
           header: pr-title-validation-error
           delete: true