ci: harden reusable GitHub Actions

.github/actions/debian/action.yml

@@ -10,36 +10,27 @@ inputs:
   target_branch:
     description: The target branch
     required: false
-    type: string
     default: 'next'
   arch:
     required: true
     description: Machine architecture to build packages for.
-    type: choice
-    options:
-      - amd64
-      - arm64
   crate:
     required: true
     description: Name of binary crate being packaged.
-    type: choice
   crate_dir:
     required: true
     description: Name of crate being packaged.
-    type: string
   service:
     required: true
     description: The service to build the packages for.
-    type: string
   package:
     required: true
     description: Name of packaging directory.
-    type: string
 runs:
   using: "composite"
   steps:
     - name: Rust cache
-      uses: Swatinem/rust-cache@v2
+      uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
       with:
         # Only update the cache on push onto the target branch. This strikes a nice balance between
         # cache hits and cache evictions (github has a 10GB cache limit).
@@ -53,53 +44,64 @@ runs:
     - name: Identify target git SHA
       id: git-sha
       shell: bash
+      env:
+        # Keep the workflow expression out of the shell body; quoting $GITREF below prevents command injection.
+        GITREF: ${{ inputs.gitref }}
       run: |
-        if git show-ref -q --verify "refs/remotes/origin/${{ inputs.gitref }}" 2>/dev/null; then
-          echo "sha=$(git show-ref --hash --verify 'refs/remotes/origin/${{ inputs.gitref }}')" >> $GITHUB_OUTPUT
-        elif git show-ref -q --verify "refs/tags/${{ inputs.gitref }}" 2>/dev/null; then
-          echo "sha=$(git show-ref --hash --verify 'refs/tags/${{ inputs.gitref }}')" >> $GITHUB_OUTPUT
-        elif git rev-parse --verify "${{ inputs.gitref }}^{commit}" >/dev/null 2>&1; then
-          echo "sha=$(git rev-parse --verify '${{ inputs.gitref }}^{commit}')" >> $GITHUB_OUTPUT
+        if git show-ref -q --verify "refs/remotes/origin/${GITREF}" 2>/dev/null; then
+          printf 'sha=%s\n' "$(git show-ref --hash --verify "refs/remotes/origin/${GITREF}")" >> "$GITHUB_OUTPUT"
+        elif git show-ref -q --verify "refs/tags/${GITREF}" 2>/dev/null; then
+          printf 'sha=%s\n' "$(git show-ref --hash --verify "refs/tags/${GITREF}")" >> "$GITHUB_OUTPUT"
+        elif git rev-parse --verify "${GITREF}^{commit}" >/dev/null 2>&1; then
+          printf 'sha=%s\n' "$(git rev-parse --verify "${GITREF}^{commit}")" >> "$GITHUB_OUTPUT"
         else
           echo "::error::Unknown git reference type"
           exit 1
         fi
 
     - name: Create package directories
       shell: bash
+      env:
+        SERVICE: ${{ inputs.service }}
       run: |
-        pkg=${{ inputs.service }}
+        pkg="$SERVICE"
         mkdir -p \
-          packaging/deb/$pkg/DEBIAN \
-          packaging/deb/$pkg/usr/bin \
-          packaging/deb/$pkg/lib/systemd/system \
-          packaging/deb/$pkg/opt/$pkg \
-        done
+          "packaging/deb/$pkg/DEBIAN" \
+          "packaging/deb/$pkg/usr/bin" \
+          "packaging/deb/$pkg/lib/systemd/system" \
+          "packaging/deb/$pkg/opt/$pkg"
 
     - name: Copy package install scripts
       shell: bash
+      env:
+        TARGET_SHA: ${{ steps.git-sha.outputs.sha }}
+        SERVICE: ${{ inputs.service }}
+        PACKAGE_DIR: ${{ inputs.package }}
+        CRATE_DIR: ${{ inputs.crate_dir }}
       run: |
-        svc=${{ inputs.service }}
-        pkg=${{ inputs.package }}
-        crate=${{ inputs.crate_dir }}
-        git show ${{ steps.git-sha.outputs.sha }}:bin/$crate/.env             > packaging/deb/$svc/lib/systemd/system/$svc.env
-        git show ${{ steps.git-sha.outputs.sha }}:packaging/$pkg/$svc.service > packaging/deb/$svc/lib/systemd/system/$svc.service
-        git show ${{ steps.git-sha.outputs.sha }}:packaging/$pkg/postinst     > packaging/deb/$svc/DEBIAN/postinst
-        git show ${{ steps.git-sha.outputs.sha }}:packaging/$pkg/postrm       > packaging/deb/$svc/DEBIAN/postrm
-        chmod 0775 packaging/deb/$svc/DEBIAN/postinst
-        chmod 0775 packaging/deb/$svc/DEBIAN/postrm
+        svc="$SERVICE"
+        pkg="$PACKAGE_DIR"
+        crate="$CRATE_DIR"
+        git show "${TARGET_SHA}:bin/$crate/.env"             > "packaging/deb/$svc/lib/systemd/system/$svc.env"
+        git show "${TARGET_SHA}:packaging/$pkg/$svc.service" > "packaging/deb/$svc/lib/systemd/system/$svc.service"
+        git show "${TARGET_SHA}:packaging/$pkg/postinst"     > "packaging/deb/$svc/DEBIAN/postinst"
+        git show "${TARGET_SHA}:packaging/$pkg/postrm"       > "packaging/deb/$svc/DEBIAN/postrm"
+        chmod 0775 "packaging/deb/$svc/DEBIAN/postinst"
+        chmod 0775 "packaging/deb/$svc/DEBIAN/postrm"
 
     - name: Create control files
       shell: bash
+      env:
+        SERVICE: ${{ inputs.service }}
       run: |
         # Map the architecture to the format required by Debian.
         # i.e. arm64 and amd64 instead of aarch64 and x86_64.
         arch=$(uname -m | sed "s/x86_64/amd64/" | sed "s/aarch64/arm64/")
         # Control file's version field must be x.y.z format so strip the rest.
         version=$(git describe --tags --abbrev=0 | sed 's/[^0-9.]//g' )
 
-        pkg=${{ inputs.service }}
-        cat > packaging/deb/$pkg/DEBIAN/control << EOF
+        pkg="$SERVICE"
+        cat > "packaging/deb/$pkg/DEBIAN/control" << EOF
         Package: $pkg
         Version: $version
         Section: base
@@ -115,47 +117,63 @@ runs:
     - name: Build binaries
       shell: bash
       env:
-        repo-url: ${{ github.server_url }}/${{ github.repository }}
+        CRATE: ${{ inputs.crate }}
+        REPO_URL: ${{ github.server_url }}/${{ github.repository }}
+        TARGET_SHA: ${{ steps.git-sha.outputs.sha }}
       run: |
-        cargo install ${{ inputs.crate }} --root . --locked --git ${{ env.repo-url }} --rev ${{ steps.git-sha.outputs.sha }}
+        cargo install "$CRATE" --root . --locked --git "$REPO_URL" --rev "$TARGET_SHA"
 
     - name: Copy binary files
       shell: bash
+      env:
+        SERVICE: ${{ inputs.service }}
+        CRATE: ${{ inputs.crate }}
       run: |
-        pkg=${{ inputs.service }}
-        bin=${{ inputs.crate }}
-        cp -p ./bin/$bin   packaging/deb/$pkg/usr/bin/
+        pkg="$SERVICE"
+        bin="$CRATE"
+        cp -p "./bin/$bin" "packaging/deb/$pkg/usr/bin/"
 
     - name: Build packages
       shell: bash
+      env:
+        SERVICE: ${{ inputs.service }}
       run: |
-        dpkg-deb --build --root-owner-group packaging/deb/${{ inputs.service }}
+        dpkg-deb --build --root-owner-group "packaging/deb/$SERVICE"
 
         # Save the .deb files, delete the rest.
         mv packaging/deb/*.deb .
         rm -rf packaging
 
-    - name: Package names
-      shell: bash
-      run: |
-        echo "package=${{ inputs.service }}-${{ inputs.gitref }}-${{ inputs.arch }}.deb" >> $GITHUB_ENV
-
     - name: Rename package files
       shell: bash
+      env:
+        SERVICE: ${{ inputs.service }}
+        GITREF: ${{ inputs.gitref }}
+        ARCH: ${{ inputs.arch }}
       run: |
-        mv ${{ inputs.service }}.deb ${{ env.package }}
+        package="${SERVICE}-${GITREF}-${ARCH}.deb"
+        mv "${SERVICE}.deb" "$package"
 
     - name: shasum packages
       shell: bash
+      env:
+        SERVICE: ${{ inputs.service }}
+        GITREF: ${{ inputs.gitref }}
+        ARCH: ${{ inputs.arch }}
       run: |
-        sha256sum ${{ env.package }} > ${{ env.package }}.checksum
+        package="${SERVICE}-${GITREF}-${ARCH}.deb"
+        sha256sum "$package" > "${package}.checksum"
 
     - name: Publish packages
       shell: bash
       env:
         GH_TOKEN: ${{ inputs.github_token }}
+        SERVICE: ${{ inputs.service }}
+        GITREF: ${{ inputs.gitref }}
+        ARCH: ${{ inputs.arch }}
       run: |
-        gh release upload ${{ inputs.gitref }} \
-          ${{ env.package }} \
-          ${{ env.package }}.checksum \
+        package="${SERVICE}-${GITREF}-${ARCH}.deb"
+        gh release upload "$GITREF" \
+          "$package" \
+          "${package}.checksum" \
           --clobber

.github/workflows/book.yml

@@ -28,34 +28,43 @@ on:
         type: string
         default: 'next'
 
+# Default the token to no scopes; each job opts into only the scopes it needs.
+permissions: {}
+
 jobs:
   # Always build and test the mdbook documentation whenever the docs folder is changed.
   #
   # The documentation is uploaded as a github artifact IFF it is required for deployment i.e. on push into the branch.
   build:
     name: Build documentation
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
 
       # Installation from source takes a fair while, so we install the binaries directly instead.
       - name: Install mdbook and plugins
-        uses: taiki-e/install-action@v2
+        uses: taiki-e/install-action@97a5807a604e12de3a13b52d868ebecaeeea757c # v2
         with:
           tool: mdbook, mdbook-linkcheck, mdbook-alerts, mdbook-katex
 
       - name: Build book
-        run: mdbook build ${{ inputs.directory }}
+        env:
+          MDBOOK_DIRECTORY: ${{ inputs.directory }}
+        run: mdbook build "$MDBOOK_DIRECTORY"
 
       # Only Upload documentation if we want to deploy (i.e. push to the branch).
       - name: Setup Pages
         if: ${{ github.event_name == 'push' && github.ref == format('refs/heads/{0}', inputs.target_branch) }}
         id: pages
-        uses: actions/configure-pages@v5
+        uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
 
       - name: Upload book artifact
         if: ${{ github.event_name == 'push' && github.ref == format('refs/heads/{0}', inputs.target_branch) }}
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
         with:
           # We specify multiple [output] sections in our book.toml which causes mdbook to create separate folders for each. This moves the generated `html` into its own `html` subdirectory.
           path: ${{ inputs.directory }}/${{ inputs.artifact_path }}
@@ -69,7 +78,10 @@ jobs:
     runs-on: ubuntu-latest
     needs: build
     if: ${{ github.event_name == 'push' && github.ref == format('refs/heads/{0}', inputs.target_branch) }}
+    permissions:
+      id-token: write
+      pages: write
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4

.github/workflows/build-docker.yml

@@ -37,37 +37,40 @@ on:
         description: 'AWS cache bucket'
         required: false
 
+# Default the token to no scopes; each job opts into only the scopes it needs.
+permissions: {}
+
 jobs:
   docker-build:
     runs-on: ubuntu-latest
     name: Build ${{ inputs.component }}
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
 
       - name: Configure AWS credentials
         if: ${{ github.event.pull_request.head.repo.fork == false && inputs.use_cache }}
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4
         with:
           aws-region: ${{ secrets.aws_region }}
           role-to-assume: ${{ secrets.aws_role }}
           role-session-name: GithubActionsSession
 
-      - name: Set cache parameters
-        if: ${{ github.event.pull_request.head.repo.fork == false && inputs.use_cache }}
-        run: |
-          echo "CACHE_FROM=type=s3,region=${{ secrets.aws_region }},bucket=${{ secrets.aws_cache_bucket }},name=miden-${{ inputs.component }}" >> $GITHUB_ENV
-          echo "CACHE_TO=type=s3,region=${{ secrets.aws_region }},bucket=${{ secrets.aws_cache_bucket }},name=miden-${{ inputs.component }}" >> $GITHUB_ENV
-
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
         with:
           cache-binary: true
 
       - name: Build Docker image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
         with:
           push: false
           file: ${{ inputs.dockerfile_path }}
-          cache-from: ${{ env.CACHE_FROM || '' }}
-          cache-to: ${{ env.CACHE_TO || '' }}
+          # BuildKit cache settings stay in expressions rather than a shell step, avoiding command-injection risk.
+          cache-from: ${{ github.event.pull_request.head.repo.fork == false && inputs.use_cache && format('type=s3,region={0},bucket={1},name=miden-{2}', secrets.aws_region, secrets.aws_cache_bucket, inputs.component) || '' }}
+          cache-to: ${{ github.event.pull_request.head.repo.fork == false && inputs.use_cache && format('type=s3,region={0},bucket={1},name=miden-{2}', secrets.aws_region, secrets.aws_cache_bucket, inputs.component) || '' }}

.github/workflows/changelog.yml

@@ -12,14 +12,20 @@ on:
         type: string
         default: 'CHANGELOG.md'
 
+# Default the token to no scopes; this check only needs repository read access.
+permissions: {}
+
 jobs:
   changelog:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Check for changes in changelog
         env:
           BASE_REF: ${{ github.event.pull_request.base.ref }}