[SECURITY] Fix zizmor findings in shared tofu workflows#42
Closed
John McCall (lowlydba) wants to merge 2 commits into
Closed
[SECURITY] Fix zizmor findings in shared tofu workflows#42John McCall (lowlydba) wants to merge 2 commits into
John McCall (lowlydba) wants to merge 2 commits into
Conversation
Port shared-tofu-plan and shared-tofu-apply from the private omf-github-terraform repo to this public repo so zizmor online audits (ref-confusion, impostor-commit) can verify refs without a cross-repo token. Changes vs omf-github-terraform version: - oidc_role_arn is now required with no default; callers must pass the IAM role ARN explicitly - actions/checkout bumped to v4.2.2 (SHA-pinned) Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Signed-off-by: John McCall <john@overturemaps.org>
- Move permissions from workflow level to job level with explanatory comments (fixes excessive-permissions in apply, undocumented-permissions in plan) - Add persist-credentials: false to checkout steps (fixes artipacked) - Fix template-injection: pass inputs.env and secrets via step env vars instead of direct template expansion; drop echo -e in favour of plain echo - Add ref-version-mismatch to existing zizmor:ignore directives in check-linked-issue and overture-projection actions Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Signed-off-by: John McCall <john@overturemaps.org>
|
Overture PRojection Review This PR addresses multiple security findings from zizmor in shared tofu workflows, moving permissions to job scope, improving credential handling, and fixing template injection risks. Minor inline action.yml changes suppress a ref-version-mismatch warning. No tests are included, and there is no linked issue. ✅ Checks Passed
🚩 Flags
❓ Open Questions
No bugs, logic errors, or security regressions are visible in the diff. The changes are in line with the description and address the cited findings. The main process gap is the missing linked issue. The masking logic for secrets may need clarification to ensure all secret values are properly masked. Context Files
|
Contributor
Author
|
Closing — fixes will be applied directly to #41 instead. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes zizmor security findings surfaced in #41.
Changes
shared-tofu-apply.yaml+shared-tofu-plan.yamlexcessive-permissions/undocumented-permissionsartipackedpersist-credentials: falsetoactions/checkoutsteptemplate-injectioninputs.env,secrets.env_secret, andsecrets.tofu_secret_variablesthrough stepenv:vars; replacedecho -e '${{ ... }}'withecho "$VAR"check-linked-issue/action.yml+overture-projection/action.ymlref-version-mismatchref-version-mismatchto the existingzizmor:ignoredirective — the inline suppress comment was breaking zizmor's version-comment detection for those linesNotes
template-injectionfix preserves existing behaviour: env vars are appended to$GITHUB_ENV, secrets are masked. Only the expansion mechanism changed (env var reference instead of direct GHA template expansion in shell code).id-token: writefor OIDC/AWS auth,pull-requests: writefor dflook tofu comments.