fix: scope id-token to publish, harden version handling, idempotent calver

ValentaTomas · ValentaTomas · commit ef204f42d222 · 2026-05-08T17:56:59.000-07:00
- Drop workflow-level id-token: write; only the publish job (which
  needs OIDC for GCP auth) gets id-token: write. PR builds no longer
  receive a token they can exchange for cloud creds.
- Validate kernel versions against [0-9]+(\.[0-9]+)+ in the matrix job
  and pass matrix.version to build.sh via env vars instead of inline
  YAML expression interpolation, so a malicious kernel_versions.txt
  entry can't shell-inject into the runner.
- Calver tag picker now also checks local and remote git tags, not
  just GH releases, so retries after a partial publish no longer pick
  a tag that's already been pushed.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,12 +5,13 @@ on:
   pull_request:
 
 permissions:
-  contents: write
-  id-token: write
+  contents: read
 
 jobs:
   matrix:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     outputs:
       build_matrix: ${{ steps.gen.outputs.matrix }}
     steps:
@@ -19,11 +20,17 @@ jobs:
         run: |
           python3 - >> "$GITHUB_OUTPUT" <<'PY'
           import json
+          import re
+          import sys
+          VERSION_RE = re.compile(r"^[0-9]+(?:\.[0-9]+)+$")
           versions = []
           for line in open("kernel_versions.txt").read().splitlines():
               v = line.split("#", 1)[0].strip()
-              if v:
-                  versions.append(v)
+              if not v:
+                  continue
+              if not VERSION_RE.match(v):
+                  sys.exit(f"::error::invalid kernel version in kernel_versions.txt: {v!r}")
+              versions.append(v)
           include = []
           for v in versions:
               include.append({"version": v, "arch": "amd64", "target_arch": "x86_64", "runner": "ubuntu-24.04"})
@@ -38,11 +45,16 @@ jobs:
       fail-fast: false
       matrix: ${{ fromJson(needs.matrix.outputs.build_matrix) }}
     runs-on: ${{ matrix.runner }}
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
 
       - name: Build kernel
-        run: sudo ./build.sh "${{ matrix.version }}" "${{ matrix.target_arch }}"
+        env:
+          KERNEL_VERSION: ${{ matrix.version }}
+          KERNEL_TARGET_ARCH: ${{ matrix.target_arch }}
+        run: sudo ./build.sh "$KERNEL_VERSION" "$KERNEL_TARGET_ARCH"
 
       - uses: actions/upload-artifact@v4
         with:
@@ -54,6 +66,9 @@ jobs:
     needs: build
     if: github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+      id-token: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -86,7 +101,9 @@ jobs:
           base="$(date -u +%Y.%m.%d)"
           tag="$base"
           n=0
-          while gh release view "$tag" >/dev/null 2>&1; do
+          while gh release view "$tag" >/dev/null 2>&1 \
+                || git rev-parse "refs/tags/$tag" >/dev/null 2>&1 \
+                || git ls-remote --exit-code --tags origin "refs/tags/$tag" >/dev/null 2>&1; do
             n=$((n + 1))
             tag="${base}.${n}"
           done
