fix(ci): harden workflows against template injection, pin actions

j4n · j4n · commit 5d6f2464cb97 · 2026-04-29T08:50:43.000+02:00
Template injection: Moved all attacker-controllable values into
step-level env: vars so they're never interpreted as shell syntax.

Excessive permissions: added top-level permissions: {} and per-job
grants.

Artipacked: added persist-credentials: false to both checkout steps to
prevent token leakage via .git/config in artifacts.

Unpinned actions: pinned all external actions to commit SHAs.
diff --git a/.github/workflows/cleanup.yaml b/.github/workflows/cleanup.yaml
@@ -27,7 +27,7 @@ jobs:
       packages: write
     steps:
       - name: Delete untagged versions
-        uses: actions/delete-package-versions@v5
+        uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5
         with:
           package-name: ${{ env.PACKAGE_NAME }}
           package-type: container
@@ -42,7 +42,7 @@ jobs:
       packages: write
     steps:
       - name: Delete old SHA-tagged versions
-        uses: actions/delete-package-versions@v5
+        uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5
         with:
           package-name: ${{ env.PACKAGE_NAME }}
           package-type: container
@@ -58,14 +58,15 @@ jobs:
     steps:
       - name: Compute branch tag
         id: tag
+        env:
+          EVENT_REF: ${{ github.event.ref }}
         run: |
           # refs/heads/j4n/foo -> j4n-foo
-          BRANCH="${{ github.event.ref }}"
-          TAG=$(echo "$BRANCH" | sed 's|/|-|g')
+          TAG=$(echo "$EVENT_REF" | sed 's|/|-|g')
           echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
 
       - name: Delete branch-tagged versions
-        uses: actions/delete-package-versions@v5
+        uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5
         with:
           package-name: ${{ env.PACKAGE_NAME }}
           package-type: container
diff --git a/.github/workflows/docker-ci.yaml b/.github/workflows/docker-ci.yaml
@@ -38,6 +38,8 @@ on:
         description: 'Relay commit SHA (leave empty for HEAD of ref)'
         default: ''
 
+permissions: {}
+
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: chatmail/docker
@@ -55,40 +57,50 @@ jobs:
     steps:
       - name: Compute relay ref
         id: relay
+        env:
+          PAYLOAD_REF: ${{ github.event.client_payload.relay_ref }}
+          PAYLOAD_SHA: ${{ github.event.client_payload.relay_sha }}
+          INPUT_REF: ${{ github.event.inputs.relay_ref }}
+          INPUT_SHA: ${{ github.event.inputs.relay_sha }}
         run: |
-          # Precedence: repository_dispatch payload > workflow_dispatch input > main
-          REF="${{ github.event.client_payload.relay_ref || github.event.inputs.relay_ref || 'main' }}"
-          SHA="${{ github.event.client_payload.relay_sha || github.event.inputs.relay_sha || '' }}"
+          REF="${PAYLOAD_REF:-${INPUT_REF:-main}}"
+          SHA="${PAYLOAD_SHA:-${INPUT_SHA:-}}"
           echo "ref=${REF}" >> "$GITHUB_OUTPUT"
           echo "sha=${SHA}" >> "$GITHUB_OUTPUT"
 
       - name: Checkout relay repo as build context
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           repository: chatmail/relay
           ref: ${{ steps.relay.outputs.sha || steps.relay.outputs.ref }}
+          persist-credentials: false
 
       - name: Checkout docker repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           path: docker
+          persist-credentials: false
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
 
       - name: Login to GHCR
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Compute build metadata
         id: meta
+        env:
+          RELAY_REF_INPUT: ${{ steps.relay.outputs.ref }}
+          EVENT_NAME: ${{ github.event_name }}
+          REF_NAME: ${{ github.ref_name }}
         run: |
-          IMAGE="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}"
-          RELAY_REF="${{ steps.relay.outputs.ref }}"
+          IMAGE="${REGISTRY}/${IMAGE_NAME}"
+          RELAY_REF="${RELAY_REF_INPUT}"
 
           # Relay SHA comes from the relay checkout at workspace root
           RELAY_SHA=$(git rev-parse HEAD)
@@ -105,10 +117,10 @@ jobs:
           # -- Tags --
           # Always: relay SHA tag
           TAGS="${IMAGE}:sha-${RELAY_SHA_SHORT}"
-          if [ "${{ github.event_name }}" = "push" ] || \
-             [ "${{ github.event_name }}" = "pull_request" ]; then
+          if [ "$EVENT_NAME" = "push" ] || \
+             [ "$EVENT_NAME" = "pull_request" ]; then
             # Docker-repo push/PR: add docker branch tag
-            TAGS="${TAGS}"$'\n'"${IMAGE}:${{ github.ref_name }}"
+            TAGS="${TAGS}"$'\n'"${IMAGE}:${REF_NAME}"
           else
             # Dispatch: tags based on relay ref
             BRANCH_TAG=$(echo "${RELAY_REF}" | sed 's|/|-|g')
@@ -175,7 +187,7 @@ jobs:
         run: cp docker/.dockerignore .dockerignore
 
       - name: Build and push
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
         with:
           context: .
           file: docker/chatmail_relay.dockerfile
@@ -193,6 +205,7 @@ jobs:
   test:
     name: Integration test
     needs: build
+    permissions: {}
     if: github.event_name != 'pull_request'
     # TODO: revert to @main once cmlxc docker support is merged
     uses: chatmail/cmlxc/.github/workflows/lxc-test.yml@j4n/docker-support
