[SECURITY] Harden GitHub workflows (#346)

* chore: zizmor auto fixes

Signed-off-by: John McCall <john@overturemaps.org>

* Pin GitHub Actions and improve workflow permissions

Update CI/CD workflows to pin actions to specific commit SHAs and tighten behavior. Added concurrency groups to avoid overlapping runs, adjusted permissions (including id-token for OIDC, pages, and super-linter-specific rights), and moved some job-level permissions into the jobs that need them. Replaced direct uses of expressions in shell strings with explicit env variables (e.g. PR_HEAD_SHA, GITHUB_EVENT_NUMBER) to avoid quoting issues, and updated several action references (checkout, setup-node, configure-pages, upload/download artifacts, deploy-pages, aws credentials, super-linter, etc.) to stable SHAs for reproducibility and security.

Signed-off-by: John McCall <john@overturemaps.org>

* Bump GitHub Actions versions in workflows

Update action references across CI workflows to newer patch releases for stability and bug fixes: actions/checkout -> v6.0.2, actions/setup-node -> v6.3.0, aws-actions/configure-aws-credentials -> v6.1.0, and actions/download-artifact -> v8.0.1. Changes touch .github/workflows/lint.yml, production_deploy_documentation.yml, staging_deploy.yaml, and staging_deploy_cleanup.yaml.

Signed-off-by: John McCall <john@overturemaps.org>

* Update staging_deploy.yaml

Signed-off-by: John McCall <john@overturemaps.org>

* Update staging_deploy.yaml

Signed-off-by: John McCall <john@overturemaps.org>

---------

Signed-off-by: John McCall <john@overturemaps.org>

Author: lowlydba

.github/dependabot.yml

@@ -17,6 +17,8 @@ updates:
       docusaurus:
         patterns:
           - "@docusaurus/*"
+    cooldown:
+      default-days: 7
 
   # Maintain GitHub Actions dependencies
   - package-ecosystem: "github-actions"
@@ -29,3 +31,5 @@ updates:
     commit-message:
       prefix: "[CHORE](deps)"
       include: "scope"
+    cooldown:
+      default-days: 7

.github/workflows/lint.yml

@@ -5,26 +5,32 @@ on:
   pull_request:
   workflow_dispatch:
 
+concurrency:
+  group: lint-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
-  packages: read
-  issues: write
-  pull-requests: write
-  statuses: write
+  packages: read # for reading GitHub Packages registry images used by super-linter
 
 jobs:
   lint:
     name: Super-Linter
     runs-on: ubuntu-latest
+    permissions:
+      issues: write # for super-linter to create issue annotations
+      pull-requests: write # for super-linter PR summary comments
+      statuses: write # for super-linter commit status updates
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           # Required for super-linter to detect changed files
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Super-Linter
-        uses: super-linter/super-linter/slim@v8.6.0
+        uses: super-linter/super-linter/slim@9e863354e3ff62e0727d37183162c4a88873df41 # v8.6.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SAVE_SUPER_LINTER_SUMMARY: true

.github/workflows/production_deploy_documentation.yml

@@ -9,10 +9,12 @@ on:
   # Allow running from the actions tab
   workflow_dispatch:
 
+concurrency:
+  group: pages
+  cancel-in-progress: false
+
 permissions:
-  id-token: write # required to use OIDC authentication
   contents: read # required to checkout the code from the repo
-  pages: write # for actions/deploy-pages
 
 jobs:
   build:
@@ -21,12 +23,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the docs repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version-file: package.json
 
@@ -40,11 +43,11 @@ jobs:
         run: npm run build
 
       - name: Setup Pages 🗂️
-        uses: actions/configure-pages@v6
+        uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0
 
       - name: Upload static files as GH-Pages artifact 📦
         id: docs-website
-        uses: actions/upload-pages-artifact@v4
+        uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
         with:
           path: build
 
@@ -55,8 +58,11 @@ jobs:
       name: github-pages
       url: https://docs.overturemaps.org/
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write # required for OIDC authentication with GitHub Pages
+      pages: write # for actions/deploy-pages
 
     steps:
       - name: Deploy to GitHub Pages 🚀
         id: docs-website
-        uses: actions/deploy-pages@v5
+        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0

.github/workflows/staging_deploy.yaml

@@ -11,9 +11,7 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
-  id-token: write
   contents: read
-  pull-requests: write
 
 env:
   DOCS_PATH: docs
@@ -44,20 +42,22 @@ jobs:
       schema-ref: ${{ steps.schema-docs.outputs.schema-ref }}
     steps:
       - name: Check out the main docs repo repository and build.
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version-file: 'package.json'
 
-      - uses: lowlydba/sustainable-npm@v3
+      - uses: lowlydba/sustainable-npm@31d51025884f424f58f22e4e6578178bb4e79632 # v3.0.0
 
       - run: npm ci --omit=dev
 
       - name: Generate schema markdown docs
         id: schema-docs
-        uses: OvertureMaps/workflows/.github/actions/generate-schema-docs@main
+        uses: OvertureMaps/workflows/.github/actions/generate-schema-docs@faa3fa4bbe01d85dc2e2139ff1f74ce70feb7df9 # main -- zizmor: ignore[stale-action-refs]
         with:
           output-dir: ${{ github.workspace }}/docs/schema/reference
           schema-ref: 'dev' # Temporary until we feel confident in the generated schema sans human review, then should be 'main'
@@ -70,7 +70,7 @@ jobs:
           SCHEMA_PREVIEW: ${{ env.SCHEMA_PREVIEW }}
 
       - name: Upload docs build as an artifact 📦
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           path: build
           name: build-artifact
@@ -83,14 +83,16 @@ jobs:
     needs: check-fork
     steps:
       - name: Check out the main docs repo repository and build.
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version-file: 'package.json'
 
-      - uses: lowlydba/sustainable-npm@v3
+      - uses: lowlydba/sustainable-npm@31d51025884f424f58f22e4e6578178bb4e79632 # v3.0.0
 
       - run: npm ci --omit=dev
 
@@ -102,7 +104,7 @@ jobs:
           SCHEMA_PREVIEW: ${{ env.SCHEMA_PREVIEW }}
 
       - name: Upload docs build as an artifact 📦
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           path: build
           name: build-artifact-no-autogen
@@ -114,42 +116,51 @@ jobs:
     environment:
       name: staging
       url: ${{ env.STAGING_URL }}${{ env.PREVIEW_PATH }}/index.html
+    permissions:
+      id-token: write # for AWS OIDC authentication
+      pull-requests: write # for posting staging preview PR comments
 
     steps:
       - name: Configure AWS credentials 🔐
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
         with:
           role-to-assume: ${{ env.AWS_ROLE_ARN }}
           aws-region: ${{ env.AWS_REGION }}
 
       - name: Download auto-gen artifact 📥
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: build-artifact
           path: build-autogen
 
       - name: Download repo schema artifact 📥
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: build-artifact-no-autogen
           path: build-no-autogen
 
       - name: Copy to S3
         run: |
-          aws s3 sync --delete --quiet build-autogen s3://overture-managed-staging-usw2/gh-pages${{ env.PREVIEW_PATH }}/
-          aws s3 sync --delete --quiet build-no-autogen s3://overture-managed-staging-usw2/gh-pages${{ env.PREVIEW_PATH_NO_AUTOGEN }}/
+          aws s3 sync --delete --quiet build-autogen s3://overture-managed-staging-usw2/gh-pages${PREVIEW_PATH}/
+          aws s3 sync --delete --quiet build-no-autogen s3://overture-managed-staging-usw2/gh-pages${PREVIEW_PATH_NO_AUTOGEN}/
 
       - name: Bust the Cache
         run: |
-          aws cloudfront create-invalidation --distribution-id E1KP2IN0H2RGGT --paths "${{ env.PREVIEW_PATH }}/*" "${{ env.PREVIEW_PATH_NO_AUTOGEN }}/*"
+          aws cloudfront create-invalidation --distribution-id E1KP2IN0H2RGGT --paths "${PREVIEW_PATH}/*" "${PREVIEW_PATH_NO_AUTOGEN}/*"
 
       - name: Gather metadata for PR comment
         id: deploy-metadata
         run: |
           echo "time=$(date -u +'%b %d, %Y %H:%M UTC')" >> $GITHUB_OUTPUT
-          echo "short-sha=$(echo '${{ github.event.pull_request.head.sha }}' | cut -c1-7)" >> $GITHUB_OUTPUT
-          echo "schema-ref-short=$(echo '${{ needs.build-auto-gen.outputs.schema-ref }}' | sed 's|refs/heads/||;s|refs/tags/||')" >> $GITHUB_OUTPUT
-          echo "schema-short-sha=$(echo '${{ needs.build-auto-gen.outputs.schema-sha }}' | cut -c1-7)" >> $GITHUB_OUTPUT
+          echo "short-sha=${PR_HEAD_SHA:0:7}" >> $GITHUB_OUTPUT
+          schema_ref="${NEEDS_BUILD_AUTO_GEN_OUTPUTS_SCHEMA_REF#refs/heads/}"
+          schema_ref="${schema_ref#refs/tags/}"
+          echo "schema-ref-short=$schema_ref" >> $GITHUB_OUTPUT
+          echo "schema-short-sha=${NEEDS_BUILD_AUTO_GEN_OUTPUTS_SCHEMA_SHA:0:7}" >> $GITHUB_OUTPUT
+        env:
+          NEEDS_BUILD_AUTO_GEN_OUTPUTS_SCHEMA_REF: ${{ needs.build-auto-gen.outputs.schema-ref }}
+          NEEDS_BUILD_AUTO_GEN_OUTPUTS_SCHEMA_SHA: ${{ needs.build-auto-gen.outputs.schema-sha }}
+          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
 
       - name: Comment on PR
         uses: marocchino/sticky-pull-request-comment@d4d6b0936434b21bc8345ad45a440c5f7d2c40ff # v3.0.3

.github/workflows/staging_deploy_cleanup.yaml

@@ -6,6 +6,10 @@ on:
   pull_request:
     types: [closed]
 
+concurrency:
+  group: staging-cleanup-${{ github.event.number }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
@@ -15,14 +19,14 @@ jobs:
     if: github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-slim
     permissions:
-      id-token: write
+      id-token: write # for AWS OIDC authentication
     env:
       AWS_ROLE_ARN: arn:aws:iam::763944545891:role/pages-staging-oidc-overturemaps
       AWS_REGION: us-west-2
 
     steps:
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
         with:
           role-to-assume: ${{ env.AWS_ROLE_ARN }}
           aws-region: ${{ env.AWS_REGION }}
@@ -31,12 +35,18 @@ jobs:
       - name: Delete from S3
         run: |
           aws s3 rm --recursive \
-            s3://overture-managed-staging-usw2/gh-pages/${{ github.event.repository.name }}/pr/${{ github.event.number }}/ || true
+            s3://overture-managed-staging-usw2/gh-pages/${GITHUB_EVENT_REPOSITORY_NAME}/pr/${GITHUB_EVENT_NUMBER}/ || true
           aws s3 rm --recursive \
-            s3://overture-managed-staging-usw2/gh-pages/${{ github.event.repository.name }}/pr/${{ github.event.number }}-no-autogen/ || true
+            s3://overture-managed-staging-usw2/gh-pages/${GITHUB_EVENT_REPOSITORY_NAME}/pr/${GITHUB_EVENT_NUMBER}-no-autogen/ || true
+        env:
+          GITHUB_EVENT_REPOSITORY_NAME: ${{ github.event.repository.name }}
+          GITHUB_EVENT_NUMBER: ${{ github.event.number }}
 
       - name: Bust the cache
         run: |
           aws cloudfront create-invalidation \
             --distribution-id E1KP2IN0H2RGGT \
-            --paths "/${{ github.event.repository.name }}/pr/${{ github.event.number }}/*" || true
+            --paths "/${GITHUB_EVENT_REPOSITORY_NAME}/pr/${GITHUB_EVENT_NUMBER}/*" || true
+        env:
+          GITHUB_EVENT_REPOSITORY_NAME: ${{ github.event.repository.name }}
+          GITHUB_EVENT_NUMBER: ${{ github.event.number }}