Skip to content

[SECURITY] Fix zizmor findings in shared tofu workflows#42

Closed
John McCall (lowlydba) wants to merge 2 commits into
mainfrom
lowlydba-fix-zizmor-security-findings
Closed

[SECURITY] Fix zizmor findings in shared tofu workflows#42
John McCall (lowlydba) wants to merge 2 commits into
mainfrom
lowlydba-fix-zizmor-security-findings

Conversation

@lowlydba

Copy link
Copy Markdown
Contributor

Fixes zizmor security findings surfaced in #41.

Changes

shared-tofu-apply.yaml + shared-tofu-plan.yaml

Finding Fix
excessive-permissions / undocumented-permissions Moved permissions from workflow level → job level with explanatory comments
artipacked Added persist-credentials: false to actions/checkout step
template-injection Passed inputs.env, secrets.env_secret, and secrets.tofu_secret_variables through step env: vars; replaced echo -e '${{ ... }}' with echo "$VAR"

check-linked-issue/action.yml + overture-projection/action.yml

Finding Fix
ref-version-mismatch Added ref-version-mismatch to the existing zizmor:ignore directive — the inline suppress comment was breaking zizmor's version-comment detection for those lines

Notes

  • The template-injection fix preserves existing behaviour: env vars are appended to $GITHUB_ENV, secrets are masked. Only the expansion mechanism changed (env var reference instead of direct GHA template expansion in shell code).
  • Permissions are intentional at job scope: id-token: write for OIDC/AWS auth, pull-requests: write for dflook tofu comments.

Port shared-tofu-plan and shared-tofu-apply from the private
omf-github-terraform repo to this public repo so zizmor online
audits (ref-confusion, impostor-commit) can verify refs without
a cross-repo token.

Changes vs omf-github-terraform version:
- oidc_role_arn is now required with no default; callers must pass
  the IAM role ARN explicitly
- actions/checkout bumped to v4.2.2 (SHA-pinned)

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

Signed-off-by: John McCall <john@overturemaps.org>
- Move permissions from workflow level to job level with explanatory
  comments (fixes excessive-permissions in apply, undocumented-permissions
  in plan)
- Add persist-credentials: false to checkout steps (fixes artipacked)
- Fix template-injection: pass inputs.env and secrets via step env vars
  instead of direct template expansion; drop echo -e in favour of plain echo
- Add ref-version-mismatch to existing zizmor:ignore directives in
  check-linked-issue and overture-projection actions

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

Signed-off-by: John McCall <john@overturemaps.org>
@overture-projection

Copy link
Copy Markdown

Overture PRojection Review

This PR addresses multiple security findings from zizmor in shared tofu workflows, moving permissions to job scope, improving credential handling, and fixing template injection risks. Minor inline action.yml changes suppress a ref-version-mismatch warning. No tests are included, and there is no linked issue.

✅ Checks Passed

  • Permissions are now scoped to jobs with clear explanatory comments, reducing risk from excessive or undocumented permissions.
  • persist-credentials: false is set on actions/checkout, mitigating artipacked credential leakage.
  • Template injection risk is addressed by switching from direct GHA template expansion in shell code to env var references, preserving masking and behavior.
  • Inline suppress comments for zizmor are updated to avoid breaking version detection.
  • MIT license is present and unchanged.

🚩 Flags

  • Process: No linked issue (Linked issue: ❌ none). Per OvertureMaps org conventions, all work should have an associated GitHub issue for traceability and visibility. Please create and link an issue retroactively.
  • Tests: Tests: ❌ none in diff — these are workflow changes affecting security posture. While direct unit tests may not be feasible for reusable workflows, consider adding workflow-level validation or a test workflow to ensure the new env handling and permission scoping behave as intended.

❓ Open Questions

  • .github/workflows/shared-tofu-apply.yaml:97, shared-tofu-plan.yaml:93 — The masking logic for secrets uses cut -d'=' -f2- on each secret line. Is it guaranteed that all secret values are formatted as KEY=VALUE? If not, this could fail to mask some secrets. Please confirm or clarify the expected format.

No bugs, logic errors, or security regressions are visible in the diff. The changes are in line with the description and address the cited findings. The main process gap is the missing linked issue. The masking logic for secrets may need clarification to ensure all secret values are properly masked.

Context Files

  • Code consistency guidance and GitHub usage guidelines confirm the need for linked issues and clear documentation, both of which are mostly met except for the missing issue link.

@lowlydba

Copy link
Copy Markdown
Contributor Author

Closing — fixes will be applied directly to #41 instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant