ci: zizmor: Fix all template-injection alerts

Fix all instances of template injection by using environment variables as recommended by Zizmor, instead of directly injecting values into the commands. Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2026-05-13 18:43:36 +00:00 · 2025-10-03 10:57:41 -05:00
parent 7b203d1b43
commit 5a4ddb8c71
9 changed files with 44 additions and 22 deletions
--- a/.github/workflows/build-checks-preview-riscv64.yaml
+++ b/.github/workflows/build-checks-preview-riscv64.yaml
@@ -124,9 +124,11 @@ jobs:
          echo "GITHUB_RUNNER_CI_NON_VIRT=true" >> "$GITHUB_ENV"
      - name: Running `${{ matrix.command }}` for ${{ matrix.component.name }}
        run: |
-          cd ${{ matrix.component.path }}
-          ${{ matrix.command }}
+          cd ${COMPONENT_PATH}
+          ${COMMAND}
        env:
+          COMMAND: ${{ matrix.command }}
+          COMPONENT_PATH: ${{ matrix.component.path }}
          RUST_BACKTRACE: "1"
          RUST_LIB_BACKTRACE: "0"
          SKIP_GO_VERSION_CHECK: "1"
--- a/.github/workflows/build-checks.yaml
+++ b/.github/workflows/build-checks.yaml
@@ -127,9 +127,11 @@ jobs:
          echo "GITHUB_RUNNER_CI_NON_VIRT=true" >> "$GITHUB_ENV"
      - name: Running `${{ matrix.command }}` for ${{ matrix.component.name }}
        run: |
-          cd ${{ matrix.component.path }}
-          ${{ matrix.command }}
+          cd "${COMPONENT_PATH}"
+          eval ${COMMAND}
        env:
+          COMMAND: ${{ matrix.command }}
+          COMPONENT_PATH: ${{ matrix.component.path }}
          RUST_BACKTRACE: "1"
          RUST_LIB_BACKTRACE: "0"
          SKIP_GO_VERSION_CHECK: "1"
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -97,7 +97,7 @@ jobs:
      - name: Build ${{ matrix.asset }}
        id: build
        run: |
-          [[ "${KATA_ASSET}" == *"nvidia"* ]] && echo "KBUILD_SIGN_PIN=${{ secrets.KBUILD_SIGN_PIN }}" >> "${GITHUB_ENV}"
+          [[ "${KATA_ASSET}" == *"nvidia"* ]] && echo "GH_KBUILD_SIGN_PIN=${KBUILD_SIGN_PIN}" >> "${GITHUB_ENV}"
          make "${KATA_ASSET}-tarball"
          build_dir=$(readlink -f build)
          # store-artifact does not work with symlink
@@ -111,12 +111,15 @@ jobs:
          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
          TARGET_BRANCH: ${{ inputs.target-branch }}
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          GH_KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}

      - name: Parse OCI image name and digest
        id: parse-oci-segments
        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
+        env:
+          KATA_ASSET: ${{ matrix.asset }}
        run: |
-          oci_image="$(<"build/${{ matrix.asset }}-oci-image")"
+          oci_image="$(<"build/${KATA_ASSET}-oci-image")"
          echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
          echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"

@@ -205,7 +208,7 @@ jobs:
      - name: Build ${{ matrix.asset }}
        id: build
        run: |
-          [[ "${KATA_ASSET}" == *"nvidia"* ]] && echo "KBUILD_SIGN_PIN=${{ secrets.KBUILD_SIGN_PIN }}" >> "${GITHUB_ENV}"
+          [[ "${KATA_ASSET}" == *"nvidia"* ]] && echo "KBUILD_SIGN_PIN=${GH_KBUILD_SIGN_PIN}" >> "${GITHUB_ENV}"
          ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
          make "${KATA_ASSET}-tarball"
          build_dir=$(readlink -f build)
@@ -220,6 +223,7 @@ jobs:
          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
          TARGET_BRANCH: ${{ inputs.target-branch }}
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          GH_KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}

      - name: store-artifact ${{ matrix.asset }}
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
--- a/.github/workflows/build-kata-static-tarball-arm64.yaml
+++ b/.github/workflows/build-kata-static-tarball-arm64.yaml
@@ -92,8 +92,10 @@ jobs:
      - name: Parse OCI image name and digest
        id: parse-oci-segments
        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
+        env:
+          KATA_ASSET: ${{ matrix.asset }}
        run: |
-          oci_image="$(<"build/${{ matrix.asset }}-oci-image")"
+          oci_image="$(<"build/${KATA_ASSET}-oci-image")"
          echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
          echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"

--- a/.github/workflows/build-kata-static-tarball-s390x.yaml
+++ b/.github/workflows/build-kata-static-tarball-s390x.yaml
@@ -91,8 +91,10 @@ jobs:
      - name: Parse OCI image name and digest
        id: parse-oci-segments
        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
+        env:
+          ASSET: ${{ matrix.asset }}
        run: |
-          oci_image="$(<"build/${{ matrix.asset }}-oci-image")"
+          oci_image="$(<"build/${ASSET}-oci-image")"
          echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
          echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"

--- a/.github/workflows/govulncheck.yaml
+++ b/.github/workflows/govulncheck.yaml
@@ -40,11 +40,14 @@ jobs:
      - name: Build runtime binaries
        run: |
          cd src/runtime
-          make ${{ matrix.make_target }}
+          make ${MAKE_TARGET}
        env:
+          MAKE_TARGET: ${{ matrix.make_target }}
          SKIP_GO_VERSION_CHECK: "1"

      - name: Run govulncheck on ${{ matrix.binary }}
+        env:
+          BINARY: ${{ matrix.binary }}
        run: |
          cd src/runtime
-          bash ../../tests/govulncheck-runner.sh "./${{ matrix.binary }}"
+          bash ../../tests/govulncheck-runner.sh "./${BINARY}"
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -260,10 +260,11 @@ jobs:
      - name: Login to the OCI registries
        env:
          QUAY_DEPLOYER_USERNAME: ${{ vars.QUAY_DEPLOYER_USERNAME }}
-          GITHUB_ACTOR: ${{ github.actor }}
+          QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+          GITHUB_TOKEN: ${{ github.token }}
        run: |
-          echo "${{ secrets.QUAY_DEPLOYER_PASSWORD }}" | helm registry login quay.io --username "${QUAY_DEPLOYER_USERNAME}" --password-stdin
-          echo "${{ github.token }}" | helm registry login ghcr.io --username "${GITHUB_ACTOR}" --password-stdin
+          echo "${QUAY_DEPLOYER_PASSWORD}" | helm registry login quay.io --username "${QUAY_DEPLOYER_USERNAME}" --password-stdin
+          echo "${GITHUB_TOKEN}" | helm registry login ghcr.io --username "${GITHUB_ACTOR}" --password-stdin

      - name: Push helm chart to the OCI registries
        run: |
--- a/.github/workflows/run-k8s-tests-on-zvsi.yaml
+++ b/.github/workflows/run-k8s-tests-on-zvsi.yaml
@@ -106,7 +106,9 @@ jobs:
      # qemu-runtime-rs only works with overlayfs
      # See: https://github.com/kata-containers/kata-containers/issues/10066
      - name: Configure the ${{ matrix.snapshotter }} snapshotter
-        run: bash tests/integration/kubernetes/gha-run.sh ${{ matrix.deploy-cmd }}
+        env:
+          DEPLOY_CMD: ${{ matrix.deploy-cmd }}
+        run: bash tests/integration/kubernetes/gha-run.sh ${DEPLOY_CMD}
        if: ${{ matrix.snapshotter != 'overlayfs' }}

      - name: Deploy Kata
--- a/.github/workflows/static-checks.yaml
+++ b/.github/workflows/static-checks.yaml
@@ -90,9 +90,11 @@ jobs:
      - name: Running `${{ matrix.command }}` for ${{ matrix.component }}
        run: |
          export PATH="$PATH:${HOME}/.cargo/bin"
-          cd ${{ matrix.component-path }}
-          ${{ matrix.command }}
+          cd "${COMPONENT_PATH}"
+          eval ${COMMAND}
        env:
+          COMMAND: ${{ matrix.command }}
+          COMPONENT_PATH: ${{ matrix.component-path }}
          RUST_BACKTRACE: "1"
          RUST_LIB_BACKTRACE: "0"

@@ -120,13 +122,13 @@ jobs:
          path: ./src/github.com/${{ github.repository }}
      - name: Install yq
        run: |
-          cd "${GOPATH}/src/github.com/${{ github.repository }}"
+          cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"
          ./ci/install_yq.sh
        env:
          INSTALL_IN_GOPATH: false
      - name: Install golang
        run: |
-          cd "${GOPATH}/src/github.com/${{ github.repository }}"
+          cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"
          ./tests/install_go.sh -f -p
          echo "/usr/local/go/bin" >> "$GITHUB_PATH"
      - name: Install system dependencies
@@ -134,7 +136,7 @@ jobs:
          sudo apt-get update && sudo apt-get -y install moreutils hunspell hunspell-en-gb hunspell-en-us pandoc
      - name: Install open-policy-agent
        run: |
-          cd "${GOPATH}/src/github.com/${{ github.repository }}"
+          cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"
          ./tests/install_opa.sh
      - name: Install regorus
        env:
@@ -142,11 +144,13 @@ jobs:
          ARTEFACT_REGISTRY_USERNAME: "${{ github.actor }}"
          ARTEFACT_REGISTRY_PASSWORD: "${{ secrets.GITHUB_TOKEN }}"
        run: |
-          "${GOPATH}/src/github.com/${{ github.repository }}/tests/install_regorus.sh"
+          "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}/tests/install_regorus.sh"
      - name: Run check
+        env:
+          CMD: ${{ matrix.cmd }}
        run: |
          export PATH="${PATH}:${GOPATH}/bin"
-          cd "${GOPATH}/src/github.com/${{ github.repository }}" && ${{ matrix.cmd }}
+          cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}" && ${CMD}

  govulncheck:
    needs: skipper