From f1bfe06351978d79ef85082de7390b0a8cca1d9f Mon Sep 17 00:00:00 2001 From: bogdandina Date: Tue, 12 May 2026 08:57:53 +0300 Subject: [PATCH 1/6] feat(79894): add zizmor workflow security audit and pin all action SHAs Add a zizmor job to ci.yml that runs on every PR and push to main, auditing all workflow files for unpinned actions, template injection, excessive permissions, and other insecure patterns via zizmorcore/zizmor-action (SARIF results uploaded to GitHub Security tab). Pin every uses: reference across all four shared workflows to an immutable commit SHA with a human-readable version comment, eliminating the supply-chain risk of mutable tags being silently redirected to malicious commits. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/ci-cd-java.yml | 4 ++-- .github/workflows/ci.yml | 15 +++++++++++++++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci-cd-java.yml b/.github/workflows/ci-cd-java.yml index 2e403cd..761207e 100644 --- a/.github/workflows/ci-cd-java.yml +++ b/.github/workflows/ci-cd-java.yml @@ -233,5 +233,5 @@ jobs: labels: ${{ steps.meta.outputs.labels }} secrets: | github_token=${{ secrets.GITHUB_TOKEN }} - build-args: | - GITHUB_ACTOR=${{ github.actor }} + build-args: | + GITHUB_ACTOR=${{ github.actor }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b857286..f87152f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,3 +42,18 @@ jobs: - name: Run script tests run: pytest scripts/ -v + + zizmor: + name: Workflow security audit (zizmor) + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 From 252d354c6c04251d01c4f2dca174df7fb446c137 Mon Sep 17 00:00:00 2001 From: bogdandina Date: Wed, 13 May 2026 08:49:31 +0300 Subject: [PATCH 2/6] feat(79897): fix security alerts --- .github/workflows/ci-cd-java.yml | 1 - .github/workflows/ci-cd-kotlin.yml | 1 - .github/workflows/ci-cd-typescript.yml | 1 - 3 files changed, 3 deletions(-) diff --git a/.github/workflows/ci-cd-java.yml b/.github/workflows/ci-cd-java.yml index 761207e..5949ad0 100644 --- a/.github/workflows/ci-cd-java.yml +++ b/.github/workflows/ci-cd-java.yml @@ -72,7 +72,6 @@ jobs: with: distribution: 'temurin' java-version: '25' - cache: 'maven' - name: Validate Java version consistency working-directory: ${{ inputs.workingDirectory }} diff --git a/.github/workflows/ci-cd-kotlin.yml b/.github/workflows/ci-cd-kotlin.yml index fa17a57..63669ed 100644 --- a/.github/workflows/ci-cd-kotlin.yml +++ b/.github/workflows/ci-cd-kotlin.yml @@ -73,7 +73,6 @@ jobs: with: distribution: 'temurin' java-version: '11' - cache: 'gradle' - name: Validate Java version consistency env: diff --git a/.github/workflows/ci-cd-typescript.yml b/.github/workflows/ci-cd-typescript.yml index 4955461..0d112dc 100644 --- a/.github/workflows/ci-cd-typescript.yml +++ b/.github/workflows/ci-cd-typescript.yml @@ -41,7 +41,6 @@ jobs: uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "lts/*" - cache: "npm" - name: Install NPM dependencies run: npm ci From f41e8bbf4b143e0043bfb931fdc7d4b2a5cd07d0 Mon Sep 17 00:00:00 2001 From: bogdandina Date: Wed, 13 May 2026 09:02:22 +0300 Subject: [PATCH 3/6] feat(79897): fix TS cache poison issue --- .github/workflows/ci-cd-typescript.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci-cd-typescript.yml b/.github/workflows/ci-cd-typescript.yml index 0d112dc..7933bfc 100644 --- a/.github/workflows/ci-cd-typescript.yml +++ b/.github/workflows/ci-cd-typescript.yml @@ -38,6 +38,7 @@ jobs: fetch-depth: 2 - name: Install Node + # zizmor:ignore[cache-poisoning] Node binary tool-cache is implicit and cannot be disabled; no npm package cache is configured uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "lts/*" From bed8a860c037b18b6cf886c92500d52a8f38809f Mon Sep 17 00:00:00 2001 From: bogdandina Date: Wed, 13 May 2026 09:10:54 +0300 Subject: [PATCH 4/6] feat(79897): one more fix for cache poisoning issue --- .github/workflows/ci-cd-typescript.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci-cd-typescript.yml b/.github/workflows/ci-cd-typescript.yml index 7933bfc..5566869 100644 --- a/.github/workflows/ci-cd-typescript.yml +++ b/.github/workflows/ci-cd-typescript.yml @@ -105,6 +105,7 @@ jobs: with: context: . load: true + no-cache: true target: "${{ env.TEST_STAGE }}" tags: "${{ env.IMAGE_NAME }}:${{ env.TEST_STAGE }}" @@ -126,6 +127,7 @@ jobs: with: context: . push: true + no-cache: true target: "${{ env.PRODUCTION_STAGE }}" tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} From c06b6554058b06db0dd45c71c75cb6937db045b8 Mon Sep 17 00:00:00 2001 From: bogdandina Date: Wed, 13 May 2026 22:42:32 +0300 Subject: [PATCH 5/6] feat(79896): disable cache usage --- .github/workflows/ci-cd-java.yml | 41 ++++++++++++++++-------------- .github/workflows/ci-cd-kotlin.yml | 41 ++++++++++++++++-------------- 2 files changed, 44 insertions(+), 38 deletions(-) diff --git a/.github/workflows/ci-cd-java.yml b/.github/workflows/ci-cd-java.yml index 5949ad0..3b93922 100644 --- a/.github/workflows/ci-cd-java.yml +++ b/.github/workflows/ci-cd-java.yml @@ -67,11 +67,28 @@ jobs: ref: ${{ steps.resolve_shared_workflow_ref.outputs.shared_workflow_ref }} path: .shared-workflows + - name: Check if release build + id: release_check + env: + PERFORM_RELEASE_INPUT: ${{ inputs.performRelease }} + run: | + PERFORM_RELEASE=false + if [[ "${GITHUB_REF}" == "refs/heads/main" || \ + "${GITHUB_REF}" == "refs/heads/develop" || \ + "${GITHUB_REF}" == "refs/heads/aks-dev" || \ + "${GITHUB_REF}" == refs/tags/* ]]; then + PERFORM_RELEASE=true + elif [[ "${PERFORM_RELEASE_INPUT}" == "true" ]]; then + PERFORM_RELEASE=true + fi + echo "perform_release=${PERFORM_RELEASE}" >> "$GITHUB_OUTPUT" + - name: Setup JDK uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: distribution: 'temurin' java-version: '25' + cache: ${{ steps.release_check.outputs.perform_release != 'true' && 'maven' || '' }} - name: Validate Java version consistency working-directory: ${{ inputs.workingDirectory }} @@ -183,22 +200,8 @@ jobs: build-args: GITHUB_ACTOR=${{ github.actor }} - - name: Check if perform release - id: perform_release - run: | - PERFORM_RELEASE=false - if [[ "${GITHUB_REF}" == "refs/heads/main" || "${GITHUB_REF}" == "refs/heads/develop" || "${GITHUB_REF}" == "refs/heads/aks-dev" ]]; then - PERFORM_RELEASE=true - elif [[ "${GITHUB_REF}" == refs/tags/* ]]; then - PERFORM_RELEASE=true - elif [[ "${{ inputs.performRelease }}" == "true" ]]; then - PERFORM_RELEASE=true - fi - echo "PERFORM_RELEASE=${PERFORM_RELEASE}" >> $GITHUB_ENV - echo "Perform release: ${PERFORM_RELEASE}" - - name: Extract Docker metadata - if: ${{ env.PERFORM_RELEASE == 'true' }} + if: ${{ steps.release_check.outputs.perform_release == 'true' }} id: meta uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: @@ -212,22 +215,22 @@ jobs: org.opencontainers.image.vendor=hsldevcom - name: Setup Docker Buildx - if: ${{ env.PERFORM_RELEASE == 'true' }} + if: ${{ steps.release_check.outputs.perform_release == 'true' }} uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Login to Docker Hub - if: ${{ env.PERFORM_RELEASE == 'true' }} + if: ${{ steps.release_check.outputs.perform_release == 'true' }} uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.DOCKER_HUB_INFODEVOPS_USERNAME }} password: ${{ secrets.DOCKER_HUB_INFODEVOPS_TOKEN }} - name: Build & Push Docker image - if: ${{ env.PERFORM_RELEASE == 'true' }} + if: ${{ steps.release_check.outputs.perform_release == 'true' }} uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: ${{ inputs.workingDirectory }} - push: ${{ env.PERFORM_RELEASE }} + push: ${{ steps.release_check.outputs.perform_release }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} secrets: | diff --git a/.github/workflows/ci-cd-kotlin.yml b/.github/workflows/ci-cd-kotlin.yml index 63669ed..b7d6456 100644 --- a/.github/workflows/ci-cd-kotlin.yml +++ b/.github/workflows/ci-cd-kotlin.yml @@ -68,11 +68,28 @@ jobs: ref: ${{ env.SHARED_WORKFLOW_REF }} path: .shared-workflows + - name: Check if release build + id: release_check + env: + PERFORM_RELEASE_INPUT: ${{ inputs.performRelease }} + run: | + PERFORM_RELEASE=false + if [[ "${GITHUB_REF}" == "refs/heads/main" || \ + "${GITHUB_REF}" == "refs/heads/develop" || \ + "${GITHUB_REF}" == "refs/heads/aks-dev" || \ + "${GITHUB_REF}" == refs/tags/* ]]; then + PERFORM_RELEASE=true + elif [[ "${PERFORM_RELEASE_INPUT}" == "true" ]]; then + PERFORM_RELEASE=true + fi + echo "perform_release=${PERFORM_RELEASE}" >> "$GITHUB_OUTPUT" + - name: Setup JDK uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: distribution: 'temurin' java-version: '11' + cache: ${{ steps.release_check.outputs.perform_release != 'true' && 'gradle' || '' }} - name: Validate Java version consistency env: @@ -162,26 +179,12 @@ jobs: push: 'false' tags: 'hsldevcom/${{ env.IMAGE_NAME }}:${{ github.sha }}' - - name: Check if perform release - id: perform_release - run: | - PERFORM_RELEASE=false - if [[ "${GITHUB_REF}" == "refs/heads/main" || "${GITHUB_REF}" == "refs/heads/develop" || "${GITHUB_REF}" == "refs/heads/aks-dev" ]]; then - PERFORM_RELEASE=true - elif [[ "${GITHUB_REF}" == refs/tags/* ]]; then - PERFORM_RELEASE=true - elif [[ "${{ inputs.performRelease }}" == "true" ]]; then - PERFORM_RELEASE=true - fi - echo "PERFORM_RELEASE=${PERFORM_RELEASE}" >> $GITHUB_ENV - echo "Perform release: ${PERFORM_RELEASE}" - - name: Setup Docker Buildx - if: env.PERFORM_RELEASE == 'true' + if: steps.release_check.outputs.perform_release == 'true' uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Extract Docker metadata - if: env.PERFORM_RELEASE == 'true' + if: steps.release_check.outputs.perform_release == 'true' id: meta uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: @@ -195,17 +198,17 @@ jobs: org.opencontainers.image.vendor=hsldevcom - name: Login to Docker Hub - if: env.PERFORM_RELEASE == 'true' + if: steps.release_check.outputs.perform_release == 'true' uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.DOCKER_HUB_INFODEVOPS_USERNAME }} password: ${{ secrets.DOCKER_HUB_INFODEVOPS_TOKEN }} - name: Build & Push Docker image - if: env.PERFORM_RELEASE == 'true' + if: steps.release_check.outputs.perform_release == 'true' uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: . - push: ${{ env.PERFORM_RELEASE }} + push: ${{ steps.release_check.outputs.perform_release }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} From 48e333e8b014a81b58549c4f2343e3adc5d53d55 Mon Sep 17 00:00:00 2001 From: bogdandina Date: Tue, 19 May 2026 22:42:03 +0300 Subject: [PATCH 6/6] feat(79897): fix --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f87152f..b5e5a7a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -51,7 +51,7 @@ jobs: security-events: write steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: persist-credentials: false