fix(ci): address review quick wins

lllamnyp · lllamnyp · commit 31e0445522a1 · 2026-06-11T11:29:28.000+03:00
- Quote/env-ize shell expansions in helm-publish and release-assets (script-injection hardening for github.ref_name/github.actor; shellcheck-clean).
- Require serviceAccount.name when serviceAccount.create=false instead of falling back to the namespace default SA (avoids binding the operator ClusterRole to default).
- Add least-privilege 'permissions: contents: read' to the CI workflow.
- Pin release-drafter to its v6.0.0 commit SHA (runs under pull_request_target).
- Check the fmt.Fprintln error in etcd-migrate's version command (errcheck).

Signed-off-by: Timofei Larkin &lt;lllamnyp@gmail.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,6 +6,10 @@ on:
   push:
     branches: [ main ]
 
+# CI only builds and tests — no writes to the repo, releases, or packages.
+permissions:
+  contents: read
+
 jobs:
   image-multiarch:
     # Build-only assertion that the operator image builds for every published
diff --git a/.github/workflows/helm-publish.yml b/.github/workflows/helm-publish.yml
@@ -43,23 +43,28 @@ jobs:
         run: make manifests
 
       - name: Resolve chart versions from tag
+        env:
+          REF_NAME: ${{ github.ref_name }}
         run: |
-          TAG=${{ github.ref_name }}
-          echo "RELEASE_TAG=${TAG}" >> $GITHUB_ENV
+          TAG="$REF_NAME"
+          echo "RELEASE_TAG=${TAG}" >> "$GITHUB_ENV"
           # Chart version is semver without the leading v; appVersion keeps it.
-          echo "RELEASE_TAG_TRIMMED_V=${TAG#v}" >> $GITHUB_ENV
+          echo "RELEASE_TAG_TRIMMED_V=${TAG#v}" >> "$GITHUB_ENV"
 
       - name: Helm registry login
+        env:
+          ACTOR: ${{ github.actor }}
+          TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           helm registry login \
-            --username ${{ github.actor }} \
-            --password ${{ secrets.GITHUB_TOKEN }} \
-            ${{ env.REGISTRY }}
+            --username "$ACTOR" \
+            --password "$TOKEN" \
+            "${{ env.REGISTRY }}"
 
       - name: Package chart
         working-directory: charts
         run: |
-          helm package ${{ env.CHART_NAME }} \
+          helm package "${{ env.CHART_NAME }}" \
             --version "${RELEASE_TAG_TRIMMED_V}" \
             --app-version "${RELEASE_TAG}"
 
diff --git a/.github/workflows/release-assets.yml b/.github/workflows/release-assets.yml
@@ -36,10 +36,12 @@ jobs:
           version: 'v3.16.4'
 
       - name: Resolve release tag
-        run: echo "RELEASE_TAG=${{ github.ref_name }}" >> $GITHUB_ENV
+        env:
+          REF_NAME: ${{ github.ref_name }}
+        run: echo "RELEASE_TAG=$REF_NAME" >> "$GITHUB_ENV"
 
       - name: Render install manifests
-        run: make build-dist-manifests IMG=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${RELEASE_TAG}
+        run: make build-dist-manifests IMG="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${RELEASE_TAG}"
 
       - uses: svenstaro/upload-release-action@2.9.0
         with:
@@ -82,10 +84,12 @@ jobs:
           cache: true
 
       - name: Resolve release tag
-        run: echo "RELEASE_TAG=${{ github.ref_name }}" >> $GITHUB_ENV
+        env:
+          REF_NAME: ${{ github.ref_name }}
+        run: echo "RELEASE_TAG=$REF_NAME" >> "$GITHUB_ENV"
 
       - name: Cross-compile CLIs
-        run: make dist-cli VERSION=${RELEASE_TAG}
+        run: make dist-cli VERSION="${RELEASE_TAG}"
 
       - name: Upload etcd-migrate binaries
         uses: svenstaro/upload-release-action@2.9.0
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -27,7 +27,7 @@ jobs:
       # code under it is the canonical fork-to-RCE pattern. release-drafter
       # touches no repo code, so this job stays safe as long as nothing here
       # checks out untrusted refs.
-      - uses: release-drafter/release-drafter@v6.0.0
+      - uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 # v6.0.0
         with:
           disable-releaser: ${{ github.ref != 'refs/heads/main' }}
           config-name: release-drafter.yml
diff --git a/charts/etcd-operator/templates/_helpers.tpl b/charts/etcd-operator/templates/_helpers.tpl
@@ -42,7 +42,10 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- if .Values.serviceAccount.create -}}
 {{- include "etcd-operator.fullname" . -}}
 {{- else -}}
-default
+{{- /* Don't silently fall back to the namespace "default" SA: rbac.yaml binds
+the operator's broad ClusterRole to this name, and binding it to "default"
+would hand those permissions to every workload using the default SA. */ -}}
+{{- required "serviceAccount.name is required when serviceAccount.create is false" .Values.serviceAccount.name -}}
 {{- end -}}
 {{- end -}}
 
diff --git a/charts/etcd-operator/values.yaml b/charts/etcd-operator/values.yaml
@@ -43,6 +43,9 @@ fullnameOverride: ""
 serviceAccount:
   # -- Create the operator ServiceAccount.
   create: true
+  # -- Name of an existing ServiceAccount to use when create is false. Required
+  # in that case — the operator's ClusterRole is bound to this name.
+  name: ""
   # -- Extra annotations for the ServiceAccount.
   annotations: {}
 
diff --git a/cmd/etcd-migrate/main.go b/cmd/etcd-migrate/main.go
@@ -77,7 +77,7 @@ explicit --skip-backup.`,
 		Short: "Print the etcd-migrate binary version",
 		Args:  cobra.NoArgs,
 		Run: func(cmd *cobra.Command, _ []string) {
-			fmt.Fprintln(cmd.OutOrStdout(), version)
+			_, _ = fmt.Fprintln(cmd.OutOrStdout(), version)
 		},
 	})
 	if err := rootCmd.Execute(); err != nil {
