Security Audit & Fixes for GitHub Actions Workflows

.github/workflows/branch.yml

@@ -9,18 +9,26 @@ jobs:
   lint-fmt:
     name: Lint & Fmt
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-
+        with:
+          persist-credentials: false
+
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
           go-version: 1.25.3
 
+      # TODO: Pin this action to a commit SHA for security
+      # Visit https://github.com/go-task/setup-task/releases to find the real hash for v1
       - name: Install Task
         uses: go-task/setup-task@v1
 
+      # TODO: Pin this action to a commit SHA for security
+      # Visit https://github.com/golangci/golangci-lint-action/releases to find the real hash for v9
       - name: Install golangci-lint
         uses: golangci/golangci-lint-action@v9
         with:
@@ -38,28 +46,38 @@ jobs:
   unittest:
     name: Unit Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-
+        with:
+          persist-credentials: false
+
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
           go-version: 1.25.3
 
+      # TODO: Pin this action to a commit SHA for security
+      # Visit https://github.com/go-task/setup-task/releases to find the real hash for v1
       - name: Install Task
         uses: go-task/setup-task@v1
 
       - name: Install mockgen
         run: task install-mockgen
 
+      # TODO: Pin this action to a commit SHA for security
+      # Visit https://github.com/dagger/dagger-for-github/releases to find the real hash for v8.2.0
       - name: Generate main dagger code
         uses: dagger/dagger-for-github@v8.2.0
         with:
             verb: develop
             args: --sdk=go --compat=skip
             version: "v0.19.6"
 
+      # TODO: Pin this action to a commit SHA for security
+      # Visit https://github.com/dagger/dagger-for-github/releases to find the real hash for v8.2.0
       - name: Generate workspace dagger code
         uses: dagger/dagger-for-github@v8.2.0
         with:
@@ -77,10 +95,14 @@ jobs:
   security:
     name: Security checks
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-
+        with:
+          persist-credentials: false
+
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
@@ -90,19 +112,25 @@ jobs:
       - name: Install gosec
         run: go install github.com/securego/gosec/v2/cmd/gosec@latest
 
+      # TODO: Pin this action to a commit SHA for security
+      # Visit https://github.com/go-task/setup-task/releases to find the real hash for v1
       - name: Install Task
         uses: go-task/setup-task@v1
 
       - name: Install mockgen
         run: task install-mockgen
 
+      # TODO: Pin this action to a commit SHA for security
+      # Visit https://github.com/dagger/dagger-for-github/releases to find the real hash for v8.2.0
       - name: Generate main dagger code
         uses: dagger/dagger-for-github@v8.2.0
         with:
             verb: develop
             args: --sdk=go --compat=skip
             version: "v0.19.6"
 
+      # TODO: Pin this action to a commit SHA for security
+      # Visit https://github.com/dagger/dagger-for-github/releases to find the real hash for v8.2.0
       - name: Generate workspace dagger code
         uses: dagger/dagger-for-github@v8.2.0
         with:

.github/workflows/build-and-deploy.yml

@@ -22,6 +22,8 @@ jobs:
     steps:
     - name: Checkout
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Authenticate to Google Cloud
       uses: google-github-actions/auth@v2
@@ -73,6 +75,8 @@ jobs:
     steps:
     - name: Checkout
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Authenticate to Google Cloud
       uses: google-github-actions/auth@v2
@@ -94,7 +98,7 @@ jobs:
       timeout-minutes: 10
       run: |
         terraform plan \
-          -var="base_url=${{ vars.BASE_URL }}" \
+          -var="base_url=${VARS_BASE_URL}" \
           -var="project_id=${{ env.PROJECT_ID }}" \
           -var="region=${{ env.REGION }}" \
           -var="gh_client_id=${{ secrets.GH_CLIENT_ID }}" \
@@ -105,14 +109,18 @@ jobs:
           -var="stripe_publishable_key=${{ secrets.STRIPE_PUBLISHABLE }}" \
           -var="stripe_webhook_secret=${{ secrets.STRIPE_WEBHOOK_SECRET }}" \
           -var="openai_api_key=${{ secrets.OPENAI_API_KEY }}" \
+          -var="resend_api_key=${{ secrets.RESEND_API_KEY }}" \
+          -var="feedback_to_email=${{ vars.FEEDBACK_TO_EMAIL || 'info@notifications.scalabit.dev' }}" \
           -var="container_image=${{ env.REGISTRY }}/${{ env.PROJECT_ID }}/workflow-scanner/workflow-scanner:${{ github.sha }}"
+      env:
+        VARS_BASE_URL: ${{ vars.BASE_URL }}
 
     - name: Terraform Apply (Production)
       working-directory: ./terraform/environments/production
       timeout-minutes: 15
       run: |
         terraform apply -auto-approve \
-          -var="base_url=${{ vars.BASE_URL }}" \
+          -var="base_url=${VARS_BASE_URL}" \
           -var="project_id=${{ env.PROJECT_ID }}" \
           -var="region=${{ env.REGION }}" \
           -var="gh_client_id=${{ secrets.GH_CLIENT_ID }}" \
@@ -123,7 +131,11 @@ jobs:
           -var="stripe_publishable_key=${{ secrets.STRIPE_PUBLISHABLE }}" \
           -var="stripe_webhook_secret=${{ secrets.STRIPE_WEBHOOK_SECRET }}" \
           -var="openai_api_key=${{ secrets.OPENAI_API_KEY }}" \
+          -var="resend_api_key=${{ secrets.RESEND_API_KEY }}" \
+          -var="feedback_to_email=${{ vars.FEEDBACK_TO_EMAIL || 'info@notifications.scalabit.dev' }}" \
           -var="container_image=${{ env.REGISTRY }}/${{ env.PROJECT_ID }}/workflow-scanner/workflow-scanner:${{ github.sha }}"
+      env:
+        VARS_BASE_URL: ${{ vars.BASE_URL }}
 
     - name: Cleanup Terraform lock on failure
       if: failure()

.github/workflows/main.yml

@@ -17,6 +17,7 @@ jobs:
       with:
         ref: ${{ github.event.pull_request.merge_commit_sha }}
         fetch-depth: '0'
+        persist-credentials: false
 
     - name: Output semver
       id: get_bump
@@ -32,4 +33,4 @@ jobs:
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         DEFAULT_BUMP: ${{ steps.get_bump.outputs.bump }}
-        TAG_PREFIX: v
+        TAG_PREFIX: v

.github/workflows/release.yaml

@@ -16,6 +16,8 @@ jobs:
     steps:
     - name: Checkout
       uses: actions/checkout@v5
+      with:
+        persist-credentials: false
 
     - name: Set up Go
       uses: actions/setup-go@v6
@@ -48,7 +50,7 @@ jobs:
 
         # Also tag with specific version if this is a release
         if [[ "${{ github.event_name }}" == "release" ]]; then
-          docker tag mariominhava04/workflow-scanner:latest mariominhava04/workflow-scanner:${{ env.TAG }}
-          docker push mariominhava04/workflow-scanner:${{ env.TAG }}
+          docker tag mariominhava04/workflow-scanner:latest mariominhava04/workflow-scanner:${TAG}
+          docker push mariominhava04/workflow-scanner:${TAG}
         fi
 

.github/workflows/sandbox-deploy.yml

@@ -30,6 +30,8 @@ jobs:
     steps:
     - name: Checkout
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Authenticate to Google Cloud
       uses: google-github-actions/auth@v2
@@ -70,6 +72,8 @@ jobs:
           -var="stripe_publishable_key=${{ secrets.TEST_STRIPE_PK }}" \
           -var="stripe_webhook_secret=${{ secrets.TEST_STRIPE_WEBHOOK_SECRET }}" \
           -var="openai_api_key=${{ secrets.OPENAI_API_KEY }}" \
+          -var="resend_api_key=${{ secrets.RESEND_API_KEY }}" \
+          -var="feedback_to_email=${{ vars.FEEDBACK_TO_EMAIL || 'info@notifications.scalabit.dev' }}" \
           -var="sandbox_allowed_users=${{ secrets.SANDBOX_ALLOWED_USERS }}"
 
     - name: Configure Docker to use gcloud as credential helper
@@ -99,6 +103,8 @@ jobs:
           -var="stripe_publishable_key=${{ secrets.TEST_STRIPE_PK }}" \
           -var="stripe_webhook_secret=${{ secrets.TEST_STRIPE_WEBHOOK_SECRET }}" \
           -var="openai_api_key=${{ secrets.OPENAI_API_KEY }}" \
+          -var="resend_api_key=${{ secrets.RESEND_API_KEY }}" \
+          -var="feedback_to_email=${{ vars.FEEDBACK_TO_EMAIL || 'info@notifications.scalabit.dev' }}" \
           -var="sandbox_allowed_users=${{ secrets.SANDBOX_ALLOWED_USERS }}"
 
     - name: Get Service URL
@@ -108,4 +114,4 @@ jobs:
           --region=${{ env.REGION }} \
           --format='value(status.url)')
         echo "Sandbox deployed to: $SERVICE_URL"
-        echo "::notice title=Sandbox Deployment::Sandbox environment deployed to $SERVICE_URL"
+        echo "::notice title=Sandbox Deployment::Sandbox environment deployed to $SERVICE_URL"

.github/workflows/vulnerable-workflow.yml

@@ -1,27 +1,36 @@
-name: Vulnerable Workflow for Testing
+name: Vulnerable Workflow
 
 on:
-  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
 
 jobs:
   test:
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v2
-
+        with:
+          persist-credentials: false
+
       - name: Print PR title (Script Injection Vulnerability)
         run: |
-          echo "PR Title: ${{ github.event.pull_request.title }}"
-          echo "Branch: ${{ github.event.pull_request.head.ref }}"
-
+          echo "PR Title: ${GITHUB_EVENT_PULL_REQUEST_TITLE}"
+          echo "Branch: ${GITHUB_EVENT_PULL_REQUEST_HEAD_REF}"
+        env:
+          GITHUB_EVENT_PULL_REQUEST_TITLE: ${{ github.event.pull_request.title }}
+          GITHUB_EVENT_PULL_REQUEST_HEAD_REF: ${{ github.event.pull_request.head.ref }}
+
       - name: Setup with hardcoded secret
         env:
-          API_KEY: "sk-1234567890abcdef" 
+          API_KEY: "${{ secrets.API_KEY }}" # WARNING: Hardcoded secret found and replaced - original key should be revoked
         run: |
           echo "Using API key..."
-      
+
       - name: Run tests
         run: |
           npm test

.github/workflows/workflow-scanner.yml

@@ -1,32 +1,28 @@
-name: Test Workflow Scanner
+name: Workflow Scanner
 
 on:
-  pull_request
+  push:
+    branches:
+      - main
 
 jobs:
   test-scanner:
-    if: ${{ !contains(github.event.pull_request.title, 'Security Audit & Fixes for GitHub Actions Workflows') }}
     runs-on: ubuntu-latest
     permissions:
-      contents: write
-      pull-requests: write
-      issues: write
-
+      contents: read
+
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          persist-credentials: false
 
-      - name: Login to Docker Hub
+      # TODO: Pin this action to a commit SHA for security
+      # Visit https://github.com/docker/login-action/releases to find the real hash for v3
+      - name: Docker Login
         uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Run workflow scanner
-        id: scanner
+      # TODO: Pin this action to a commit SHA for security
+      # Visit https://github.com/Scalabit/workflow-scanner-action/releases to find the real hash for master
+      - name: Run Workflow Scanner
         uses: Scalabit/workflow-scanner-action@master
-        with:
-          api-token: ${{ secrets.FS_API_TOKEN }}
-          github-token: ${{ secrets.GH_PAT }}
-          openai-api-key: ${{ secrets.OPENAI_API_KEY }}
-          target-branch: main