harden workflows

- Adds explicit permissions
- explicit ubuntu-24.04 runner
- Don't persist git credentials if not needed
- Avoid injection through metadata

.github/workflows/base-image.yaml

@@ -10,15 +10,20 @@ on:
   schedule:
     - cron: 0 1 * * 1
 
+permissions:
+  contents: read
+
 jobs:
   push_image:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     name: Docker Images
     env:
       DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Registry login
         run: |

.github/workflows/pull_request_review.yaml

@@ -3,15 +3,20 @@ name: pull_request_review test
 on:
   - pull_request_review
 
+permissions:
+  contents: read
+
 jobs:
   apply:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     name: Apply approved changes on pull_request_review
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Plan
         uses: ./terraform-plan
@@ -27,8 +32,10 @@ jobs:
           path: tests/workflows/pull_request_review
 
       - name: Verify outputs
+        env:
+          OUTPUT_STRING: ${{ steps.output.outputs.output_string }}
         run: |
-          if [[ "${{ steps.output.outputs.output_string }}" != "the_string" ]]; then
+          if [[ "$OUTPUT_STRING" != "the_string" ]]; then
             echo "::error:: output s not set correctly"
             exit 1
           fi

.github/workflows/pull_request_target.yaml

@@ -3,15 +3,20 @@ name: pull_request_target test
 on:
   - pull_request_target
 
+permissions:
+  contents: read
+
 jobs:
   apply:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     name: Apply approved changes on pull_request_target
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Plan
         uses: ./terraform-plan
@@ -27,8 +32,10 @@ jobs:
           path: tests/workflows/pull_request_target
 
       - name: Verify outputs
+        env:
+          OUTPUT_STRING: ${{ steps.output.outputs.output_string }}
         run: |
-          if [[ "${{ steps.output.outputs.output_string }}" != "the_string" ]]; then
+          if [[ "$OUTPUT_STRING" != "the_string" ]]; then
             echo "::error:: output s not set correctly"
             exit 1
           fi

.github/workflows/release.yaml

@@ -10,15 +10,23 @@ on:
         description: "Tag to release"
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   image:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     name: Release Actions
+    permissions:
+      contents: read
+      packages: write
     env:
       GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: true
 
       - name: Check tofu actions are up to date
         run: |
@@ -38,14 +46,14 @@ jobs:
 
       - name: Build action image
         id: image_build
+        env:
+          RELEASE_TAG: "${{ github.event.release.tag_name }}${{ github.event.inputs.tag_name }}"
         run: |
-          RELEASE_TAG="${{ github.event.release.tag_name }}${{ github.event.inputs.tag_name }}"
-
           docker buildx build \
             --build-arg FETCH_CHECKSUMS=yes \
             --build-arg VERSION="${RELEASE_TAG:1}" \
-            --tag danielflook/terraform-github-actions:$RELEASE_TAG \
-            --tag ghcr.io/dflook/terraform-github-actions:$RELEASE_TAG \
+            --tag "danielflook/terraform-github-actions:$RELEASE_TAG" \
+            --tag "ghcr.io/dflook/terraform-github-actions:$RELEASE_TAG" \
             --platform linux/amd64,linux/arm64 \
             --attest type=provenance,mode=max,builder-id=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID \
             --push \
@@ -55,29 +63,31 @@ jobs:
           echo "digest=$(<manifest-list-digest.txt)" >> "$GITHUB_OUTPUT"
 
       - name: Release actions
+        env:
+          RELEASE_TAG: "${{ github.event.release.tag_name }}${{ github.event.inputs.tag_name }}"
+          IMAGE_DIGEST: ${{ steps.image_build.outputs.digest }}
         run: |
-          export RELEASE_TAG="${{ github.event.release.tag_name }}${{ github.event.inputs.tag_name }}"
-          export major=$(echo $RELEASE_TAG | cut -d. -f1)
-          export minor=$(echo $RELEASE_TAG | cut -d. -f2)
+          export major=$(echo "$RELEASE_TAG" | cut -d. -f1)
+          export minor=$(echo "$RELEASE_TAG" | cut -d. -f2)
 
           git config --global user.name "Daniel Flook"
           git config --global user.email "[email protected]"
           
           function prepare_release() {
-              rsync -r $GITHUB_WORKSPACE/$action/ $HOME/$action
-              rm -rf $HOME/$action/.github
-              mkdir $HOME/$action/.github
-              cp $GITHUB_WORKSPACE/.github/FUNDING.yml $HOME/$action/.github/FUNDING.yml
+              rsync -r "$GITHUB_WORKSPACE/$action/" "$HOME/$action"
+              rm -rf "$HOME/$action/.github"
+              mkdir "$HOME/$action/.github"
+              cp "$GITHUB_WORKSPACE/.github/FUNDING.yml" "$HOME/$action/.github/FUNDING.yml"
           }
 
-          for action in $(cd $GITHUB_WORKSPACE && find . -name action.yaml -printf "%h\n" | sed 's/^.\///'); do
+          for action in $(cd "$GITHUB_WORKSPACE" && find . -name action.yaml -printf "%h\n" | sed 's/^.\///'); do
 
-            if git clone https://dflook:[email protected]/dflook/$action.git "$HOME/$action"; then
+            if git clone "https://dflook:[email protected]/dflook/$action.git" "$HOME/$action"; then
               echo "Releasing dflook/$action@$RELEASE_TAG"
 
               # git tags that use DockerHub for the image
               prepare_release
-              sed -i 's|  image:.*|  image: docker://danielflook/terraform-github-actions@${{ steps.image_build.outputs.digest }}|' $HOME/$action/action.yaml
+              sed -i "s|  image:.*|  image: docker://danielflook/terraform-github-actions@$IMAGE_DIGEST|" "$HOME/$action/action.yaml"
 
               git -C "$HOME/$action" add -A
               git -C "$HOME/$action" commit -m "$RELEASE_TAG"
@@ -90,7 +100,7 @@ jobs:
               # git tags that use GitHub Container Registry for the image
               git -C "$HOME/$action" checkout ghcr || git -C "$HOME/$action" checkout -b ghcr
               prepare_release
-              sed -i 's|  image:.*|  image: docker://ghcr.io/dflook/terraform-github-actions@${{ steps.image_build.outputs.digest }}|' $HOME/$action/action.yaml
+              sed -i "s|  image:.*|  image: docker://ghcr.io/dflook/terraform-github-actions@$IMAGE_DIGEST|" "$HOME/$action/action.yaml"
           
               git -C "$HOME/$action" add -A
               git -C "$HOME/$action" commit -m "$RELEASE_TAG-ghcr"
@@ -101,11 +111,11 @@ jobs:
               git -C "$HOME/$action" push --force --tags
 
               # Create the github release
-              cat $GITHUB_WORKSPACE/.github/release_template.md \
+              cat "$GITHUB_WORKSPACE/.github/release_template.md" \
                | envsubst \
                | jq --slurp --raw-input --arg RELEASE_TAG "$RELEASE_TAG" '{"tag_name": $RELEASE_TAG, "name": $RELEASE_TAG, "body": . }' \
                | curl -X POST \
-                   --user dflook:$GITHUB_TOKEN \
+                   --user "dflook:$GITHUB_TOKEN" \
                    --header "Content-Type: application/json" \
                    --data-binary @- \
                    "https://api.github.com/repos/dflook/$action/releases"

.github/workflows/repository_dispatch.yaml

@@ -5,13 +5,18 @@ on: [repository_dispatch]
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+permissions:
+  contents: read
+
 jobs:
   plan:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     name: Create terraform plan
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: terraform plan
         uses: ./terraform-plan

.github/workflows/retain-images.yaml

@@ -4,14 +4,18 @@ on:
   schedule:
     - cron: 0 0 1 * *
 
+permissions:
+  contents: read
+
 jobs:
   pull_image:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     name: Pull images
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0
 
       - name: docker pull

.github/workflows/test.yaml

@@ -3,13 +3,18 @@ name: Unit test
 on:
   - push
 
+permissions:
+  contents: read
+
 jobs:
   pytest_amd64:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     name: pytest amd64
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Python
         uses: actions/setup-python@v4
@@ -40,6 +45,8 @@ jobs:
 #    steps:
 #      - name: Checkout
 #        uses: actions/checkout@v4
+#        with:
+#          persist-credentials: false
 #
 #      - name: Install dependencies
 #        run: |
@@ -58,13 +65,15 @@ jobs:
 #           GNUPGHOME=$HOME/.gnupg PYTHONPATH=image/tools:image/src pytest tests
 
   tofu:
-    runs-on: ubuntu-latest
-    name: OpenTofu
+    runs-on: ubuntu-24.04
+    name: OpenTofu actions
     env:
       GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Check tofu actions are up to date
         run: |