fix(ci): scope CS_* creds to the bench step, not job env

tobyhede · tobyhede · commit 4af413b349b8 · 2026-06-19T22:54:44.000+10:00
Job-scoped secrets are exposed to every step, including third-party actions
(actions/checkout, jdx/mise-action, Swatinem/rust-cache) referenced by mutable
tags — a compromised tag could exfiltrate ZeroKMS/client creds before the bench
script runs. Move the four CS_* vars onto the 'Run bench tests' step that actually
needs them (fixture:generate:all). Least privilege; addresses PR review.
diff --git a/.github/workflows/bench-eql.yml b/.github/workflows/bench-eql.yml
@@ -41,15 +41,6 @@ jobs:
 
     env:
       POSTGRES_VERSION: "17"
-      # test:sqlx:prep regenerates the per-type fixtures by encrypting plaintext
-      # through cipherstash-client, which needs BOTH a ZeroKMS auth credential
-      # (CS_CLIENT_ACCESS_KEY + CS_WORKSPACE_CRN) AND a client key (CS_CLIENT_ID +
-      # CS_CLIENT_KEY). Without them fixture:generate:all fails with
-      # "Auth strategy error: Not authenticated". Mirrors test-eql.yml.
-      CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_CLIENT_ACCESS_KEY }}
-      CS_WORKSPACE_CRN: ${{ secrets.CS_WORKSPACE_CRN }}
-      CS_CLIENT_ID: ${{ secrets.CS_CLIENT_ID }}
-      CS_CLIENT_KEY: ${{ secrets.CS_CLIENT_KEY }}
 
     steps:
       - uses: actions/checkout@v4
@@ -70,6 +61,17 @@ jobs:
           mise run postgres:up postgres-${POSTGRES_VERSION} --extra-args "--detach --wait"
 
       - name: Run bench tests
+        # CS_* scoped to THIS step only (least privilege): test:bench -> test:sqlx:prep
+        # -> fixture:generate:all encrypts via cipherstash-client and needs BOTH a
+        # ZeroKMS auth credential (CS_CLIENT_ACCESS_KEY + CS_WORKSPACE_CRN) AND a client
+        # key (CS_CLIENT_ID + CS_CLIENT_KEY); without them it fails "Auth strategy error:
+        # Not authenticated". Kept off job scope so checkout/mise/rust-cache actions
+        # never see them.
+        env:
+          CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_CLIENT_ACCESS_KEY }}
+          CS_WORKSPACE_CRN: ${{ secrets.CS_WORKSPACE_CRN }}
+          CS_CLIENT_ID: ${{ secrets.CS_CLIENT_ID }}
+          CS_CLIENT_KEY: ${{ secrets.CS_CLIENT_KEY }}
         run: |
           export active_rust_toolchain=$(rustup show active-toolchain | cut -d' ' -f1)
           rustup component add --toolchain ${active_rust_toolchain} rustfmt clippy
