From 5a4ddb8c71fdca03362fb12fa5cfe3934c93bd2b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bombo?= Date: Fri, 3 Oct 2025 10:57:41 -0500 Subject: [PATCH] ci: zizmor: Fix all `template-injection` alerts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix all instances of template injection by using environment variables as recommended by Zizmor, instead of directly injecting values into the commands. Signed-off-by: Aurélien Bombo --- .../build-checks-preview-riscv64.yaml | 6 ++++-- .github/workflows/build-checks.yaml | 6 ++++-- .../build-kata-static-tarball-amd64.yaml | 10 +++++++--- .../build-kata-static-tarball-arm64.yaml | 4 +++- .../build-kata-static-tarball-s390x.yaml | 4 +++- .github/workflows/govulncheck.yaml | 7 +++++-- .github/workflows/release.yaml | 7 ++++--- .github/workflows/run-k8s-tests-on-zvsi.yaml | 4 +++- .github/workflows/static-checks.yaml | 18 +++++++++++------- 9 files changed, 44 insertions(+), 22 deletions(-) diff --git a/.github/workflows/build-checks-preview-riscv64.yaml b/.github/workflows/build-checks-preview-riscv64.yaml index c5a666a331..cf7327eadd 100644 --- a/.github/workflows/build-checks-preview-riscv64.yaml +++ b/.github/workflows/build-checks-preview-riscv64.yaml @@ -124,9 +124,11 @@ jobs: echo "GITHUB_RUNNER_CI_NON_VIRT=true" >> "$GITHUB_ENV" - name: Running `${{ matrix.command }}` for ${{ matrix.component.name }} run: | - cd ${{ matrix.component.path }} - ${{ matrix.command }} + cd ${COMPONENT_PATH} + ${COMMAND} env: + COMMAND: ${{ matrix.command }} + COMPONENT_PATH: ${{ matrix.component.path }} RUST_BACKTRACE: "1" RUST_LIB_BACKTRACE: "0" SKIP_GO_VERSION_CHECK: "1" diff --git a/.github/workflows/build-checks.yaml b/.github/workflows/build-checks.yaml index d61ca7e9ca..438a3725f3 100644 --- a/.github/workflows/build-checks.yaml +++ b/.github/workflows/build-checks.yaml @@ -127,9 +127,11 @@ jobs: echo "GITHUB_RUNNER_CI_NON_VIRT=true" >> "$GITHUB_ENV" - name: Running `${{ matrix.command }}` for ${{ matrix.component.name }} run: | - cd ${{ matrix.component.path }} - ${{ matrix.command }} + cd "${COMPONENT_PATH}" + eval ${COMMAND} env: + COMMAND: ${{ matrix.command }} + COMPONENT_PATH: ${{ matrix.component.path }} RUST_BACKTRACE: "1" RUST_LIB_BACKTRACE: "0" SKIP_GO_VERSION_CHECK: "1" diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml index d41814395a..67457af199 100644 --- a/.github/workflows/build-kata-static-tarball-amd64.yaml +++ b/.github/workflows/build-kata-static-tarball-amd64.yaml @@ -97,7 +97,7 @@ jobs: - name: Build ${{ matrix.asset }} id: build run: | - [[ "${KATA_ASSET}" == *"nvidia"* ]] && echo "KBUILD_SIGN_PIN=${{ secrets.KBUILD_SIGN_PIN }}" >> "${GITHUB_ENV}" + [[ "${KATA_ASSET}" == *"nvidia"* ]] && echo "GH_KBUILD_SIGN_PIN=${KBUILD_SIGN_PIN}" >> "${GITHUB_ENV}" make "${KATA_ASSET}-tarball" build_dir=$(readlink -f build) # store-artifact does not work with symlink @@ -111,12 +111,15 @@ jobs: ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} TARGET_BRANCH: ${{ inputs.target-branch }} RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} + GH_KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }} - name: Parse OCI image name and digest id: parse-oci-segments if: ${{ env.PERFORM_ATTESTATION == 'yes' }} + env: + KATA_ASSET: ${{ matrix.asset }} run: | - oci_image="$(<"build/${{ matrix.asset }}-oci-image")" + oci_image="$(<"build/${KATA_ASSET}-oci-image")" echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT" echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT" @@ -205,7 +208,7 @@ jobs: - name: Build ${{ matrix.asset }} id: build run: | - [[ "${KATA_ASSET}" == *"nvidia"* ]] && echo "KBUILD_SIGN_PIN=${{ secrets.KBUILD_SIGN_PIN }}" >> "${GITHUB_ENV}" + [[ "${KATA_ASSET}" == *"nvidia"* ]] && echo "KBUILD_SIGN_PIN=${GH_KBUILD_SIGN_PIN}" >> "${GITHUB_ENV}" ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}" make "${KATA_ASSET}-tarball" build_dir=$(readlink -f build) @@ -220,6 +223,7 @@ jobs: ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} TARGET_BRANCH: ${{ inputs.target-branch }} RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} + GH_KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }} - name: store-artifact ${{ matrix.asset }} uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 diff --git a/.github/workflows/build-kata-static-tarball-arm64.yaml b/.github/workflows/build-kata-static-tarball-arm64.yaml index 8329fd1e8a..2ef6519d34 100644 --- a/.github/workflows/build-kata-static-tarball-arm64.yaml +++ b/.github/workflows/build-kata-static-tarball-arm64.yaml @@ -92,8 +92,10 @@ jobs: - name: Parse OCI image name and digest id: parse-oci-segments if: ${{ env.PERFORM_ATTESTATION == 'yes' }} + env: + KATA_ASSET: ${{ matrix.asset }} run: | - oci_image="$(<"build/${{ matrix.asset }}-oci-image")" + oci_image="$(<"build/${KATA_ASSET}-oci-image")" echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT" echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT" diff --git a/.github/workflows/build-kata-static-tarball-s390x.yaml b/.github/workflows/build-kata-static-tarball-s390x.yaml index f4e3f4319d..23585e8d1a 100644 --- a/.github/workflows/build-kata-static-tarball-s390x.yaml +++ b/.github/workflows/build-kata-static-tarball-s390x.yaml @@ -91,8 +91,10 @@ jobs: - name: Parse OCI image name and digest id: parse-oci-segments if: ${{ env.PERFORM_ATTESTATION == 'yes' }} + env: + ASSET: ${{ matrix.asset }} run: | - oci_image="$(<"build/${{ matrix.asset }}-oci-image")" + oci_image="$(<"build/${ASSET}-oci-image")" echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT" echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT" diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml index a34d91851f..72da82d672 100644 --- a/.github/workflows/govulncheck.yaml +++ b/.github/workflows/govulncheck.yaml @@ -40,11 +40,14 @@ jobs: - name: Build runtime binaries run: | cd src/runtime - make ${{ matrix.make_target }} + make ${MAKE_TARGET} env: + MAKE_TARGET: ${{ matrix.make_target }} SKIP_GO_VERSION_CHECK: "1" - name: Run govulncheck on ${{ matrix.binary }} + env: + BINARY: ${{ matrix.binary }} run: | cd src/runtime - bash ../../tests/govulncheck-runner.sh "./${{ matrix.binary }}" + bash ../../tests/govulncheck-runner.sh "./${BINARY}" diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ec2e4f37ee..e0ea5cfbfa 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -260,10 +260,11 @@ jobs: - name: Login to the OCI registries env: QUAY_DEPLOYER_USERNAME: ${{ vars.QUAY_DEPLOYER_USERNAME }} - GITHUB_ACTOR: ${{ github.actor }} + QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} + GITHUB_TOKEN: ${{ github.token }} run: | - echo "${{ secrets.QUAY_DEPLOYER_PASSWORD }}" | helm registry login quay.io --username "${QUAY_DEPLOYER_USERNAME}" --password-stdin - echo "${{ github.token }}" | helm registry login ghcr.io --username "${GITHUB_ACTOR}" --password-stdin + echo "${QUAY_DEPLOYER_PASSWORD}" | helm registry login quay.io --username "${QUAY_DEPLOYER_USERNAME}" --password-stdin + echo "${GITHUB_TOKEN}" | helm registry login ghcr.io --username "${GITHUB_ACTOR}" --password-stdin - name: Push helm chart to the OCI registries run: | diff --git a/.github/workflows/run-k8s-tests-on-zvsi.yaml b/.github/workflows/run-k8s-tests-on-zvsi.yaml index 19fdb7ef06..ad3156aa8d 100644 --- a/.github/workflows/run-k8s-tests-on-zvsi.yaml +++ b/.github/workflows/run-k8s-tests-on-zvsi.yaml @@ -106,7 +106,9 @@ jobs: # qemu-runtime-rs only works with overlayfs # See: https://github.com/kata-containers/kata-containers/issues/10066 - name: Configure the ${{ matrix.snapshotter }} snapshotter - run: bash tests/integration/kubernetes/gha-run.sh ${{ matrix.deploy-cmd }} + env: + DEPLOY_CMD: ${{ matrix.deploy-cmd }} + run: bash tests/integration/kubernetes/gha-run.sh ${DEPLOY_CMD} if: ${{ matrix.snapshotter != 'overlayfs' }} - name: Deploy Kata diff --git a/.github/workflows/static-checks.yaml b/.github/workflows/static-checks.yaml index a66a6709d5..367a462892 100644 --- a/.github/workflows/static-checks.yaml +++ b/.github/workflows/static-checks.yaml @@ -90,9 +90,11 @@ jobs: - name: Running `${{ matrix.command }}` for ${{ matrix.component }} run: | export PATH="$PATH:${HOME}/.cargo/bin" - cd ${{ matrix.component-path }} - ${{ matrix.command }} + cd "${COMPONENT_PATH}" + eval ${COMMAND} env: + COMMAND: ${{ matrix.command }} + COMPONENT_PATH: ${{ matrix.component-path }} RUST_BACKTRACE: "1" RUST_LIB_BACKTRACE: "0" @@ -120,13 +122,13 @@ jobs: path: ./src/github.com/${{ github.repository }} - name: Install yq run: | - cd "${GOPATH}/src/github.com/${{ github.repository }}" + cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}" ./ci/install_yq.sh env: INSTALL_IN_GOPATH: false - name: Install golang run: | - cd "${GOPATH}/src/github.com/${{ github.repository }}" + cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}" ./tests/install_go.sh -f -p echo "/usr/local/go/bin" >> "$GITHUB_PATH" - name: Install system dependencies @@ -134,7 +136,7 @@ jobs: sudo apt-get update && sudo apt-get -y install moreutils hunspell hunspell-en-gb hunspell-en-us pandoc - name: Install open-policy-agent run: | - cd "${GOPATH}/src/github.com/${{ github.repository }}" + cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}" ./tests/install_opa.sh - name: Install regorus env: @@ -142,11 +144,13 @@ jobs: ARTEFACT_REGISTRY_USERNAME: "${{ github.actor }}" ARTEFACT_REGISTRY_PASSWORD: "${{ secrets.GITHUB_TOKEN }}" run: | - "${GOPATH}/src/github.com/${{ github.repository }}/tests/install_regorus.sh" + "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}/tests/install_regorus.sh" - name: Run check + env: + CMD: ${{ matrix.cmd }} run: | export PATH="${PATH}:${GOPATH}/bin" - cd "${GOPATH}/src/github.com/${{ github.repository }}" && ${{ matrix.cmd }} + cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}" && ${CMD} govulncheck: needs: skipper