fix: harden all reusable workflows against code scanning alerts

Security fixes across 11 workflow files:

- Pin all 3rd party action references to commit SHAs with version comments
- Move all ${{ inputs.* }}, ${{ env.* }}, ${{ steps.*.outputs.* }}, and
  ${{ job.status }} expressions from run: blocks to step env: blocks to
  prevent code injection
- Use heredoc format for all $GITHUB_ENV writes to prevent env var
  injection via newline characters
- Add persist-credentials: false to untrusted PR checkouts
- Execute pre_build_script via temp file instead of inline interpolation
  with EXIT trap for guaranteed cleanup
- Use openssl rand -hex 8 for heredoc delimiters consistently
- Fix helm-chart-package: invalid if: condition, scan-ref path separator,
  PR notification condition for reusable workflows, PREVIOUS_VERSION
  same-step usage
- Fix docker-promote-jfrog: typo, target_env validation alignment,
  whitespace trimming for comma-separated tags
- Fix docker-promote-dockerhub: whitespace trimming for tags
- Validate secret key names in get_infisical_secrets action
- Add dependency checks, path traversal validation, domain normalization,
  and workflow command escaping in get_infisical_secrets action

Author: derrix060

.github/workflows/commitizen.yaml

@@ -17,16 +17,18 @@ jobs:
       version: ${{ steps.cz.outputs.version }}
     steps:
       - name: Check out
-        uses: actions/checkout@v6.0.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           token: "${{ secrets.access-token }}"
 
       - id: cz
         name: Create bump and changelog
-        uses: commitizen-tools/commitizen-action@master
+        uses: commitizen-tools/commitizen-action@338bbd841b75aaee6bf5340e1fa12f6ab58ff9ff # 0.27.1
         with:
           github_token: ${{ secrets.access-token }}
 
       - name: Print Version
-        run: echo "Bumped to version ${{ steps.cz.outputs.version }}"
+        env:
+          CZ_VERSION: ${{ steps.cz.outputs.version }}
+        run: echo "Bumped to version ${CZ_VERSION}"

.github/workflows/compute-terraform-module-name.yaml

@@ -20,8 +20,10 @@ jobs:
     steps:
       - id: compute
         shell: bash
+        env:
+          INPUT_REPOSITORY_NAME: ${{ inputs.repository_name }}
         run: |
-          REPOSITORY_NAME=${{ inputs.repository_name }}
+          REPOSITORY_NAME="${INPUT_REPOSITORY_NAME}"
           REPOSITORY_NAME=${REPOSITORY_NAME#*/}
           PROVIDER_AND_MODULE=${REPOSITORY_NAME#*-}
           MODULE_NAME=${PROVIDER_AND_MODULE#*-}

.github/workflows/docker-build-push-dockerhub.yaml

@@ -130,6 +130,7 @@ jobs:
           ref: ${{ inputs.git_ref }}
           submodules: ${{ inputs.checkout_submodules }}
           fetch-depth: ${{ inputs.fetch-depth }}
+          persist-credentials: false
 
       - name: Login to Docker Hub
         uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
@@ -139,8 +140,15 @@ jobs:
 
       - name: Run pre-build script
         if: ${{ inputs.pre_build_script != '' }}
+        env:
+          PRE_BUILD_SCRIPT: ${{ inputs.pre_build_script }}
         run: |
-          ${{ inputs.pre_build_script }}
+          # Accepted risk: pre_build_script is intentionally executed as caller-provided code
+          SCRIPT_PATH="${RUNNER_TEMP:-/tmp}/pre_build_$$.sh"
+          trap 'rm -f "$SCRIPT_PATH"' EXIT
+          printf '%s\n' "$PRE_BUILD_SCRIPT" > "$SCRIPT_PATH"
+          chmod +x "$SCRIPT_PATH"
+          bash "$SCRIPT_PATH"
 
       - name: Build and push
         uses: NethermindEth/github-action-image-build-and-push@fefef12a2baef6d339fb4b244b4cd45c40146161

.github/workflows/docker-build-push-jfrog.yaml

@@ -134,26 +134,31 @@ jobs:
           ref: ${{ inputs.git_ref }}
           submodules: ${{ inputs.checkout_submodules }}
           fetch-depth: ${{ inputs.fetch-depth }}
+          persist-credentials: false
 
       - name: Set env vars
         id: env-vars
+        env:
+          INPUT_REPO_NAME: ${{ inputs.repo_name }}
+          INPUT_GROUP_NAME: ${{ inputs.group_name }}
+          INPUT_IMAGE_NAME: ${{ inputs.image_name }}
         run: |
           # Set Repo name
-          if [[ -n "${{ inputs.repo_name }}" ]]; then
-            export REPO_NAME="${{ inputs.repo_name }}"
-          elif [[ -n "${{ inputs.group_name }}" ]]; then
-            export REPO_NAME="${{ inputs.group_name }}-oci-local-dev"
+          if [[ -n "${INPUT_REPO_NAME}" ]]; then
+            export REPO_NAME="${INPUT_REPO_NAME}"
+          elif [[ -n "${INPUT_GROUP_NAME}" ]]; then
+            export REPO_NAME="${INPUT_GROUP_NAME}-oci-local-dev"
           else
             echo "Unable to determine the repo name.  Please set either group_name or the repo_name."
             exit 1
           fi
 
           # Set image name
-          echo "IMAGE_NAME=${REPO_NAME}/${{ inputs.image_name }}" >> $GITHUB_OUTPUT
+          echo "IMAGE_NAME=${REPO_NAME}/${INPUT_IMAGE_NAME}" >> $GITHUB_OUTPUT
 
       - name: Install JFrog CLI
         id: jfrog
-        uses: jfrog/setup-jfrog-cli@v4
+        uses: jfrog/setup-jfrog-cli@86dacb6974c66cc99e7651e1205f6581aaddba9a # v4.10.0
         env:
           JF_URL: https://${{ inputs.jfrog_url }}
         with:
@@ -168,8 +173,15 @@ jobs:
 
       - name: Run pre-build script
         if: ${{ inputs.pre_build_script != '' }}
+        env:
+          PRE_BUILD_SCRIPT: ${{ inputs.pre_build_script }}
         run: |
-          ${{ inputs.pre_build_script }}
+          # Accepted risk: pre_build_script is intentionally executed as caller-provided code
+          SCRIPT_PATH="${RUNNER_TEMP:-/tmp}/pre_build_$$.sh"
+          trap 'rm -f "$SCRIPT_PATH"' EXIT
+          printf '%s\n' "$PRE_BUILD_SCRIPT" > "$SCRIPT_PATH"
+          chmod +x "$SCRIPT_PATH"
+          bash "$SCRIPT_PATH"
 
       - name: Build and push
         uses: NethermindEth/github-action-image-build-and-push@fefef12a2baef6d339fb4b244b4cd45c40146161

.github/workflows/docker-promote-dockerhub.yaml

@@ -39,11 +39,22 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Set environment variables
+        env:
+          INPUT_SOURCE_REPO_NAME: ${{ inputs.source_repo_name }}
+          INPUT_TARGET_REPO_NAME: ${{ inputs.target_repo_name }}
+          INPUT_IMAGE_NAME: ${{ inputs.image_name }}
         run: |
-          SOURCE_IMAGE="${{ inputs.source_repo_name }}/${{ inputs.image_name }}"
-          TARGET_IMAGE="${{ inputs.target_repo_name }}/${{ inputs.image_name }}"
-          echo "SOURCE_IMAGE=${SOURCE_IMAGE}" >> $GITHUB_ENV
-          echo "TARGET_IMAGE=${TARGET_IMAGE}" >> $GITHUB_ENV
+          SOURCE_IMAGE="${INPUT_SOURCE_REPO_NAME}/${INPUT_IMAGE_NAME}"
+          TARGET_IMAGE="${INPUT_TARGET_REPO_NAME}/${INPUT_IMAGE_NAME}"
+          EOF_MARKER="GHEOF_$(openssl rand -hex 8)"
+          {
+            echo "SOURCE_IMAGE<<${EOF_MARKER}"
+            echo "${SOURCE_IMAGE}"
+            echo "${EOF_MARKER}"
+            echo "TARGET_IMAGE<<${EOF_MARKER}"
+            echo "${TARGET_IMAGE}"
+            echo "${EOF_MARKER}"
+          } >> "$GITHUB_ENV"
 
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -59,12 +70,18 @@ jobs:
 
       - name: Promote Images
         id: promote
+        env:
+          INPUT_TAGS: ${{ inputs.tags }}
+          INPUT_SOURCE_TAG: ${{ inputs.source_tag }}
         run: |
           # Promote all specified tags
-          IFS=',' read -ra TAGS <<< "${{ inputs.tags }}"
+          IFS=',' read -ra TAGS <<< "${INPUT_TAGS}"
+          for i in "${!TAGS[@]}"; do
+            TAGS[$i]=$(echo "${TAGS[$i]}" | xargs)
+          done
           for TAG in "${TAGS[@]}"; do
-            if [[ "${{ inputs.source_tag }}" != "none" ]]; then
-              source_image="${SOURCE_IMAGE}:${{ inputs.source_tag }}"
+            if [[ "${INPUT_SOURCE_TAG}" != "none" ]]; then
+              source_image="${SOURCE_IMAGE}:${INPUT_SOURCE_TAG}"
             else
               source_image="${SOURCE_IMAGE}:${TAG}"
             fi
@@ -87,9 +104,11 @@ jobs:
           push-to-registry: true
 
       - name: Record Promotion
+        env:
+          INPUT_TAGS: ${{ inputs.tags }}
         run: |
           echo "## Image Promotion :rocket:" >> $GITHUB_STEP_SUMMARY
           echo "- From: $SOURCE_IMAGE" >> $GITHUB_STEP_SUMMARY
           echo "- To: $TARGET_IMAGE" >> $GITHUB_STEP_SUMMARY
-          echo "- Tags: ${{ inputs.tags }}" >> $GITHUB_STEP_SUMMARY
+          echo "- Tags: ${INPUT_TAGS}" >> $GITHUB_STEP_SUMMARY
           echo "- Timestamp: $(date -u '+%Y-%m-%d %H:%M:%S UTC')" >> $GITHUB_STEP_SUMMARY

.github/workflows/docker-promote-jfrog.yaml

@@ -45,39 +45,57 @@ jobs:
     name: Promote Docker image
     runs-on: ubuntu-latest
     steps:
-      - name: Validade input
+      - name: Validate input
+        env:
+          INPUT_TARGET_ENV: ${{ inputs.target_env }}
+          INPUT_SOURCE_ENV: ${{ inputs.source_env }}
         run: |
-          if [[ ! "${{ inputs.target_env }}" =~ ^(dev|staging|prod)$ ]]; then
-            echo "Invalid environment. Choose 'dev', 'staging' or 'prod'"
+          if [[ ! "${INPUT_TARGET_ENV}" =~ ^(staging|prod)$ ]]; then
+            echo "Invalid environment. Choose 'staging' or 'prod'"
             exit 1
           fi
 
-          if [[ ! "${{ inputs.source_env }}" =~ ^(dev|staging|none)$ ]]; then
+          if [[ ! "${INPUT_SOURCE_ENV}" =~ ^(dev|staging|none)$ ]]; then
             echo "Invalid environment. Choose 'dev', 'staging' or don't set it"
             exit 1
           fi
 
       - name: Set environment variables
+        env:
+          INPUT_SOURCE_ENV: ${{ inputs.source_env }}
+          INPUT_TARGET_ENV: ${{ inputs.target_env }}
+          INPUT_JFROG_URL: ${{ inputs.jfrog_url }}
+          INPUT_GROUP_NAME: ${{ inputs.group_name }}
+          INPUT_IMAGE_NAME: ${{ inputs.image_name }}
         run: |
-          if [[ "${{ inputs.source_env }}" == "none" ]]; then
-            SOURCE_ENV=$([[ "${{ inputs.target_env }}" == "staging" ]] && echo "dev" || echo "staging")
-            echo "SOURCE_ENV=${SOURCE_ENV}" >> $GITHUB_ENV
+          if [[ "${INPUT_SOURCE_ENV}" == "none" ]]; then
+            SOURCE_ENV=$([[ "${INPUT_TARGET_ENV}" == "staging" ]] && echo "dev" || echo "staging")
           else
-            SOURCE_ENV="${{ inputs.source_env }}"
-            echo "SOURCE_ENV=${SOURCE_ENV}" >> $GITHUB_ENV
+            SOURCE_ENV="${INPUT_SOURCE_ENV}"
           fi
 
-          SOURCE_IMAGE="${{ inputs.jfrog_url }}/${{ inputs.group_name }}-oci-local-${SOURCE_ENV}/${{ inputs.image_name }}"
-          TARGET_IMAGE="${{ inputs.jfrog_url }}/${{ inputs.group_name }}-oci-local-${{ inputs.target_env }}/${{ inputs.image_name }}"
-          echo "SOURCE_IMAGE=${SOURCE_IMAGE}" >> $GITHUB_ENV
-          echo "TARGET_IMAGE=${TARGET_IMAGE}" >> $GITHUB_ENV
+          SOURCE_IMAGE="${INPUT_JFROG_URL}/${INPUT_GROUP_NAME}-oci-local-${SOURCE_ENV}/${INPUT_IMAGE_NAME}"
+          TARGET_IMAGE="${INPUT_JFROG_URL}/${INPUT_GROUP_NAME}-oci-local-${INPUT_TARGET_ENV}/${INPUT_IMAGE_NAME}"
+
+          EOF_MARKER="GHEOF_$(openssl rand -hex 8)"
+          {
+            echo "SOURCE_ENV<<${EOF_MARKER}"
+            echo "${SOURCE_ENV}"
+            echo "${EOF_MARKER}"
+            echo "SOURCE_IMAGE<<${EOF_MARKER}"
+            echo "${SOURCE_IMAGE}"
+            echo "${EOF_MARKER}"
+            echo "TARGET_IMAGE<<${EOF_MARKER}"
+            echo "${TARGET_IMAGE}"
+            echo "${EOF_MARKER}"
+          } >> "$GITHUB_ENV"
 
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install JFrog CLI
         id: jfrog
-        uses: jfrog/setup-jfrog-cli@v4
+        uses: jfrog/setup-jfrog-cli@86dacb6974c66cc99e7651e1205f6581aaddba9a # v4.10.0
         env:
           JF_URL: https://${{ inputs.jfrog_url }}
         with:
@@ -95,12 +113,18 @@ jobs:
 
       - name: Promote Images
         id: promote
+        env:
+          INPUT_TAGS: ${{ inputs.tags }}
+          INPUT_SOURCE_TAG: ${{ inputs.source_tag }}
         run: |
           # Promote all specified tags
-          IFS=',' read -ra TAGS <<< "${{ inputs.tags }}"
+          IFS=',' read -ra TAGS <<< "${INPUT_TAGS}"
+          for i in "${!TAGS[@]}"; do
+            TAGS[$i]=$(echo "${TAGS[$i]}" | xargs)
+          done
           for TAG in "${TAGS[@]}"; do
-            if [[ "${{ inputs.source_tag }}" != "none" ]]; then
-              source_image="${SOURCE_IMAGE}:${{ inputs.source_tag }}"
+            if [[ "${INPUT_SOURCE_TAG}" != "none" ]]; then
+              source_image="${SOURCE_IMAGE}:${INPUT_SOURCE_TAG}"
             else
               source_image="${SOURCE_IMAGE}:${TAG}"
             fi
@@ -124,9 +148,11 @@ jobs:
           push-to-registry: true
 
       - name: Record Promotion
+        env:
+          INPUT_TAGS: ${{ inputs.tags }}
         run: |
           echo "## Image Promotion :rocket:" >> $GITHUB_STEP_SUMMARY
           echo "- From: $SOURCE_IMAGE" >> $GITHUB_STEP_SUMMARY
           echo "- To: $TARGET_IMAGE" >> $GITHUB_STEP_SUMMARY
-          echo "- Tags: ${{ inputs.tags }}" >> $GITHUB_STEP_SUMMARY
+          echo "- Tags: ${INPUT_TAGS}" >> $GITHUB_STEP_SUMMARY
           echo "- Timestamp: $(date -u '+%Y-%m-%d %H:%M:%S UTC')" >> $GITHUB_STEP_SUMMARY