Harden CI workflows against prompt injection and supply chain attacks

[JAORMX]

Summary

Security hardening of GitHub Actions workflows based on an audit informed by the Clinejection and hackerbot-claw attack patterns.

Changes by priority

Priority	File	Fix
CRIT	claude.yml	Add author_association checks — blocks untrusted users (NONE, FIRST_TIMER, FIRST_TIME_CONTRIBUTOR) from invoking the AI agent
CRIT	issue-triage.yml	Remove Bash(gh label list) tool access, add prompt injection defense instruction
HIGH	claude.yml	Add explicit allowed_tools — scopes Bash to task, go, git, helm-docs only
HIGH	CODEOWNERS	Protect CLAUDE.md, .claude/ (skills, agents, rules) from unauthorized modification
MED	security-scan.yml	Pin codeql-action and govulncheck-action to SHA hashes
MED	releaser.yml	Disable Go module cache for release builds (cache poisoning prevention)
MED	pr-size-labeler.yml	Move ${{ }} interpolation to env: variable in github-script
LOW	image-build-and-publish.yml	Reduce permissions from contents: write to contents: read

Attack vectors mitigated

• Prompt injection via comments/issues: Untrusted users can no longer invoke @claude or influence the triage bot to execute unintended actions
• Arbitrary code execution: AI agents no longer have unrestricted Bash access
• Poisoned system prompt: CLAUDE.md and .claude/ now require CODEOWNERS review
• Supply chain (tag mutation): All actions are now SHA-pinned
• Cache poisoning: Release builds install dependencies fresh
• Expression injection: User-controlled values no longer interpolated in executable contexts

Not addressed (separate effort)

• SLSA provenance generation is still commented out in releaser.yml — re-enabling requires additional configuration work

Test plan

• Verify claude.yml still triggers for MEMBER/OWNER/COLLABORATOR comments containing @claude
• Verify claude.yml does NOT trigger for comments from users with no association
• Verify issue-triage.yml can still list labels via mcp__github__list_label
• Verify security-scan.yml still uploads SARIF results with pinned action
• Verify release workflow still builds successfully without Go cache
• Verify PR size labeler still calculates and applies labels correctly
• Verify image builds succeed with contents: read permissions

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.61%. Comparing base (e469d48) to head (6108022).
⚠️ Report is 7 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4034      +/-   ##
==========================================
- Coverage   68.62%   68.61%   -0.01%     
==========================================
  Files         444      444              
  Lines       45222    45222              
==========================================
- Hits        31033    31030       -3     
- Misses      11790    11793       +3     
  Partials     2399     2399              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.