Improve workflow security

.github/workflows/asset-build-and-publish.yml

@@ -10,9 +10,16 @@ name: Build, Publish and Release Teraslice Asset
 run-name: ${{ github.actor }} is building, publishing, and releasing the Teraslice Asset
 on:
   workflow_call:
+    secrets:
+      RELEASES_PRIVATE_KEY:
+        required: true
+      SLACK_BOT_TOKEN:
+        required: true
+
+permissions: {}
 
 jobs:
-  # Asset build, publish and release will only occur if the current asset version 
+  # Asset build, publish and release will only occur if the current asset version
   # is greater than the latest release or pre-release version
   version-check:
     runs-on: ubuntu-latest
@@ -24,6 +31,8 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Check for asset version update
         id: version_check
@@ -61,6 +70,8 @@ jobs:
         node-version: [22, 24]
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@v6
@@ -92,6 +103,8 @@ jobs:
       contents: write
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-node@v6
         with:
@@ -146,7 +159,9 @@ jobs:
 
       - name: Failed Announcement Response
         if: ${{ steps.announce-release.outputs.ok == 'false' }}
-        run: echo "Slackbot API failure response - ${{ steps.announce-release.outputs.response }}"
+        env:
+          SLACK_RESPONSE: ${{ steps.announce-release.outputs.response }}
+        run: echo "Slackbot API failure response - $SLACK_RESPONSE"
 
   check-for-website:
     runs-on: ubuntu-latest
@@ -158,6 +173,8 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Find website directory
         id: find-directory
         run: |
@@ -178,6 +195,8 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Setup Node
         uses: actions/setup-node@v6

.github/workflows/asset-test.yml

@@ -2,26 +2,45 @@ name: Test Teraslice Asset
 run-name: ${{ github.actor }} is testing the Teraslice Asset
 on:
   workflow_call:
+    secrets:
+      DOCKER_USERNAME:
+        required: true
+      DOCKER_PASSWORD:
+        required: true
+
+permissions: {}
 
 jobs:
   check-docker-limit-before:
+    permissions:
+      contents: read
     uses: ./.github/workflows/check-docker-limit.yml
-    secrets: inherit 
+    secrets:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
 
   cache-docker-images:
     needs: check-docker-limit-before
+    permissions:
+      contents: read
     uses: ./.github/workflows/cache-docker-images.yml
-    secrets: inherit
+    secrets:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
 
   test-linux:
     runs-on: ubuntu-latest
     needs: cache-docker-images
+    permissions:
+      contents: read
     strategy:
       matrix:
         # NOTE: Hard Coded Node Version array, should match array in build-and-publish-asset.yml
         node-version: [22, 24]
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@v6
         with:
@@ -52,13 +71,17 @@ jobs:
             docker-images-
       - name: Get Commit Short SHA
         id: get-short-sha
+        env:
+          HEAD_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
         run: |
-          calculatedSha=$(git rev-parse --short ${{ github.event.pull_request.head.sha || github.sha }})
+          calculatedSha=$(git rev-parse --short "$HEAD_SHA")
           echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_OUTPUT
       - run: pnpm test:all
       - name: Append dev tag to version
+        env:
+          COMMIT_SHORT_SHA: ${{ steps.get-short-sha.outputs.COMMIT_SHORT_SHA }}
         run: |
-          jq '.version += "-dev.${{ steps.get-short-sha.outputs.COMMIT_SHORT_SHA }}"' asset/asset.json > tempAsset.json && mv tempAsset.json asset/asset.json
+          jq --arg sha "$COMMIT_SHORT_SHA" '.version += "-dev." + $sha' asset/asset.json > tempAsset.json && mv tempAsset.json asset/asset.json
           cat asset/asset.json
       - run: pnpm dlx teraslice-cli -v
       - run: pnpm dlx teraslice-cli assets build
@@ -81,12 +104,16 @@ jobs:
   test-e2e:
     runs-on: ubuntu-latest
     needs: cache-docker-images
+    permissions:
+      contents: read
     strategy:
       matrix:
         # NOTE: Hard Coded Node Version array, should match array in build-and-publish-asset.yml
         node-version: [22, 24]
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@v6
         with:
@@ -118,8 +145,10 @@ jobs:
         run: npm install -g teraslice-cli
       - name: Get Commit Short SHA
         id: get-short-sha
+        env:
+          HEAD_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
         run: |
-          calculatedSha=$(git rev-parse --short ${{ github.event.pull_request.head.sha || github.sha }})
+          calculatedSha=$(git rev-parse --short "$HEAD_SHA")
           echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_OUTPUT
       - run: pnpm test:e2e
       - name: Upload logs artifact
@@ -134,12 +163,16 @@ jobs:
   test-linux-encrypted:
     runs-on: ubuntu-latest
     needs: cache-docker-images
+    permissions:
+      contents: read
     strategy:
       matrix:
         # NOTE: Hard Coded Node Version array, should match array in build-and-publish-asset.yml
         node-version: [22, 24]
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@v6
         with:
@@ -174,8 +207,10 @@ jobs:
         run: command -v mkcert
       - name: Get Commit Short SHA
         id: get-short-sha
+        env:
+          HEAD_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
         run: |
-          calculatedSha=$(git rev-parse --short ${{ github.event.pull_request.head.sha || github.sha }})
+          calculatedSha=$(git rev-parse --short "$HEAD_SHA")
           echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_OUTPUT
       - run: pnpm test:encrypted
       - name: Upload logs artifact
@@ -189,8 +224,12 @@ jobs:
 
   test-macos:
     runs-on: macos-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Use Node.js
         uses: actions/setup-node@v6
         with:
@@ -208,11 +247,15 @@ jobs:
 
   check-for-website:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       website_exists: ${{ steps.find-directory.outputs.website_exists }}
     steps:
       - name: Check out code
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Find website directory
         id: find-directory
         run: |
@@ -227,8 +270,12 @@ jobs:
   test-website:
     runs-on: ubuntu-latest
     needs: check-for-website
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Use Node.js
         uses: actions/setup-node@v6
         with:
@@ -248,33 +295,44 @@ jobs:
     if: github.event_name != 'push' && github.actor != 'dependabot[bot]'
     needs: [test-linux, test-macos]
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      issues: write
     steps:
       - name: Get Artifacts List
         id: artifacts-list
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
+          RUN_ID: ${{ github.run_id }}
         run: |
-          ARTIFACTS_JSON=$(gh api repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts)
+          ARTIFACTS_JSON=$(gh api repos/$REPO/actions/runs/$RUN_ID/artifacts)
           echo $ARTIFACTS_JSON
           ID_LIST=$(echo "$ARTIFACTS_JSON" | jq -c  '[.artifacts[] | {name: .name, id:.id}]')
           echo $ID_LIST
           echo "artifact-ids=$ID_LIST" >> "$GITHUB_OUTPUT"
-          
+
       - name: Comment on PR
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
+          REPO: ${{ github.repository }}
+          RUN_ID: ${{ github.run_id }}
         run: |
           ARTIFACT_IDS='${{ steps.artifacts-list.outputs.artifact-ids }}'
-          LIST=$(echo "$ARTIFACT_IDS" | jq -r '.[] | "\(.name): https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts/\(.id)"')
+          LIST=$(echo "$ARTIFACT_IDS" | jq -r ".[] | \"\(.name): https://github.com/$REPO/actions/runs/$RUN_ID/artifacts/\(.id)\"")
           COMMENT=$(printf "Asset artifacts:\n%s" "$LIST")
-          gh api repos/${{ github.repository }}/issues/${PR_NUMBER}/comments -f body="$COMMENT"
+          gh api repos/$REPO/issues/$PR_NUMBER/comments -f body="$COMMENT"
 
 
   check-docker-limit-after:
     needs: test-linux
+    permissions:
+      contents: read
     uses: ./.github/workflows/check-docker-limit.yml
-    secrets: inherit 
+    secrets:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
 
   all-tests-passed:
     needs: [test-linux, test-linux-encrypted, test-e2e, test-macos, test-website]

.github/workflows/cache-asset-bundles.yml

@@ -3,12 +3,18 @@ name: Cache Asset Bundles If No Cache Found
 on:
   workflow_call:
 
+permissions: {}
+
 jobs:
   cache-asset-bundles:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     - name: Check out code
       uses: actions/checkout@v6
+      with:
+        persist-credentials: false
 
     - name: Install pnpm
       uses: pnpm/action-setup@v6

.github/workflows/cache-docker-images.yml

@@ -2,13 +2,24 @@ name: Cache Docker Images If No Cache Found
 
 on:
   workflow_call:
+    secrets:
+      DOCKER_USERNAME:
+        required: true
+      DOCKER_PASSWORD:
+        required: true
+
+permissions: {}
 
 jobs:
   cache-docker-images:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     - name: Check out code
       uses: actions/checkout@v6
+      with:
+        persist-credentials: false
 
     - name: Install pnpm
       uses: pnpm/action-setup@v6

.github/workflows/check-docker-limit.yml

@@ -2,12 +2,23 @@ name: Check Docker Pull Rate Limit
 
 on:
   workflow_call:
+    secrets:
+      DOCKER_USERNAME:
+        required: true
+      DOCKER_PASSWORD:
+        required: true
+
+permissions: {}
 
 jobs:
   check-docker-pull-rate-limit:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@v6
+      with:
+        persist-credentials: false
     - name: Install pnpm
       uses: pnpm/action-setup@v6
     - name: Check docker.hub pull limit

.github/workflows/check-github-api-limit.yml

@@ -3,6 +3,8 @@ name: Check Github API Rate limit
 on:
   workflow_call:
 
+permissions: {}
+
 jobs:
   check-github-api-rate-limit:
     runs-on: ubuntu-latest