From e1ec55ab94540a571555691b9e2d9c817698b589 Mon Sep 17 00:00:00 2001 From: Steve Beattie Date: Wed, 1 Jul 2026 23:45:41 -0700 Subject: [PATCH 1/3] fix(ci): hoist template expressions into env in build workflow Refs: PSEC-923 Generated-By: claude-guard chain a48e874cad6e33af55ac66904dac8ae8 Skills-Applied: template-injection Skills-Sha: d1a637a7f238e262da2698fbdbfd84d56a645e4cf4c63cdfcb3347544f7f2967 Image-Sha: sha256:3b5a6a2d7ac0edcd1da9473f63aef0922371ae7094a2583f4faa5bdef838bc1f --- .github/workflows/.build.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/.build.yaml b/.github/workflows/.build.yaml index aa255b35..0b961696 100644 --- a/.github/workflows/.build.yaml +++ b/.github/workflows/.build.yaml @@ -38,17 +38,20 @@ jobs: # Auth to GitHub Container Registry (ghcr.io) - name: Login to registry if: inputs.registry != '' + env: + GITHUB_TOKEN: ${{ github.token }} run: | set -x - echo "${{ github.token }}" | docker login \ - -u "${{ github.repository_owner }}" \ + echo "$GITHUB_TOKEN" | docker login \ + -u "$GITHUB_REPOSITORY_OWNER" \ --password-stdin ghcr.io # Build and push image using terraform-provider-apko - name: Build image with apko/terraform env: TF_VAR_target_repository: ${{ inputs.registry != '' && inputs.registry || format('localhost:5000/{0}', inputs.image) }} + IMAGE: ${{ inputs.image }} run: | set -x terraform init - terraform apply -auto-approve -target=module.${{inputs.image}} + terraform apply -auto-approve -target="module.${IMAGE}" From 409c06fc4e19449c834753b99e544703881c3cc7 Mon Sep 17 00:00:00 2001 From: Steve Beattie Date: Wed, 1 Jul 2026 23:45:46 -0700 Subject: [PATCH 2/3] fix(ci): scope GitHub Actions permissions to least privilege Refs: PSEC-923 Generated-By: claude-guard chain a48e874cad6e33af55ac66904dac8ae8 Skills-Applied: excessive-permissions Skills-Sha: d1a637a7f238e262da2698fbdbfd84d56a645e4cf4c63cdfcb3347544f7f2967 Image-Sha: sha256:3b5a6a2d7ac0edcd1da9473f63aef0922371ae7094a2583f4faa5bdef838bc1f --- .github/workflows/release.yaml | 41 ++++++++++++++++++++++++++++++---- 1 file changed, 37 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 5336ecf9..83a9c6df 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -8,62 +8,95 @@ on: concurrency: release -permissions: - contents: read # Needed to clone the repo - id-token: write # Needed to sign images - packages: write # Needed to publish images to GHCR +permissions: {} jobs: alpine-base: uses: ./.github/workflows/.build.yaml + permissions: + contents: read # Clone the repo in the reusable build workflow + id-token: write # Keyless image signing via cosign/OIDC + packages: write # Publish images to GHCR with: image: alpine-base registry: ghcr.io/wolfi-dev apko: uses: ./.github/workflows/.build.yaml + permissions: + contents: read # Clone the repo in the reusable build workflow + id-token: write # Keyless image signing via cosign/OIDC + packages: write # Publish images to GHCR with: image: apko registry: ghcr.io/wolfi-dev gcc-musl: uses: ./.github/workflows/.build.yaml + permissions: + contents: read # Clone the repo in the reusable build workflow + id-token: write # Keyless image signing via cosign/OIDC + packages: write # Publish images to GHCR with: image: gcc-musl registry: ghcr.io/wolfi-dev musl-dynamic: uses: ./.github/workflows/.build.yaml + permissions: + contents: read # Clone the repo in the reusable build workflow + id-token: write # Keyless image signing via cosign/OIDC + packages: write # Publish images to GHCR with: image: musl-dynamic registry: ghcr.io/wolfi-dev sdk: uses: ./.github/workflows/.build.yaml + permissions: + contents: read # Clone the repo in the reusable build workflow + id-token: write # Keyless image signing via cosign/OIDC + packages: write # Publish images to GHCR with: image: sdk registry: ghcr.io/wolfi-dev static-alpine: uses: ./.github/workflows/.build.yaml + permissions: + contents: read # Clone the repo in the reusable build workflow + id-token: write # Keyless image signing via cosign/OIDC + packages: write # Publish images to GHCR with: image: static registry: ghcr.io/wolfi-dev git-alpine: uses: ./.github/workflows/.build.yaml + permissions: + contents: read # Clone the repo in the reusable build workflow + id-token: write # Keyless image signing via cosign/OIDC + packages: write # Publish images to GHCR with: image: git registry: ghcr.io/wolfi-dev busybox-alpine: uses: ./.github/workflows/.build.yaml + permissions: + contents: read # Clone the repo in the reusable build workflow + id-token: write # Keyless image signing via cosign/OIDC + packages: write # Publish images to GHCR with: image: busybox registry: ghcr.io/wolfi-dev spdx-tools: uses: ./.github/workflows/.build.yaml + permissions: + contents: read # Clone the repo in the reusable build workflow + id-token: write # Keyless image signing via cosign/OIDC + packages: write # Publish images to GHCR with: image: spdx-tools registry: ghcr.io/wolfi-dev From 81939e3ee4fb0fb7511a48f891f809f13037dc0f Mon Sep 17 00:00:00 2001 From: Steve Beattie Date: Wed, 1 Jul 2026 23:45:51 -0700 Subject: [PATCH 3/3] fix(ci): add zizmor config and dependabot cooldown Refs: PSEC-923 Generated-By: claude-guard chain a48e874cad6e33af55ac66904dac8ae8 Skills-Applied: zizmor-config Skills-Sha: d1a637a7f238e262da2698fbdbfd84d56a645e4cf4c63cdfcb3347544f7f2967 Image-Sha: sha256:3b5a6a2d7ac0edcd1da9473f63aef0922371ae7094a2583f4faa5bdef838bc1f --- .github/dependabot.yaml | 4 ++++ .github/workflows/zizmor.yaml | 4 ++++ .github/zizmor.yml | 15 +++++++++++++++ 3 files changed, 23 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index 691c3f20..ee14c66f 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -6,7 +6,11 @@ updates: schedule: interval: "daily" open-pull-requests-limit: 10 + cooldown: + default-days: 3 - package-ecosystem: terraform directory: "/" schedule: interval: "daily" + cooldown: + default-days: 3 diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml index f380a547..acaf6432 100644 --- a/.github/workflows/zizmor.yaml +++ b/.github/workflows/zizmor.yaml @@ -9,11 +9,15 @@ on: paths: - '.github/workflows/**' - '.github/actions/**' + - '.github/zizmor.yml' + - '.github/dependabot.yaml' push: branches: ['main'] paths: - '.github/workflows/**' - '.github/actions/**' + - '.github/zizmor.yml' + - '.github/dependabot.yaml' permissions: {} diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000..39a848ae --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,15 @@ +# Copyright 2026 Chainguard, Inc. +# SPDX-License-Identifier: Apache-2.0 + +rules: + # Paired with `cooldown.default-days: 3` in .github/dependabot.yaml. + # Pedantic persona's default cooldown threshold is 7 days; lower it to + # match the repo's configured cooldown. + dependabot-cooldown: + config: + days: 3 + # Cosmetic pedantic-only findings — suppressed across the campaign. + anonymous-definition: + disable: true + concurrency-limits: + disable: true