Skip to content

fix: harden patch-release workflow against script injection#3424

Open
vdemeester wants to merge 1 commit into
tektoncd:mainfrom
vdemeester:fix/gha-release-security-hardening
Open

fix: harden patch-release workflow against script injection#3424
vdemeester wants to merge 1 commit into
tektoncd:mainfrom
vdemeester:fix/gha-release-security-hardening

Conversation

@vdemeester
Copy link
Copy Markdown
Member

@vdemeester vdemeester commented May 12, 2026

Changes

Harden the patch-release.yaml GitHub Actions workflow against script injection attacks, aligning with the same fixes applied in tektoncd/pipeline#9671.

Fixes

  1. permissions: {} — restrict workflow to least-privilege (no default token permissions)
  2. persist-credentials: false — prevent checkout action from persisting git credentials
  3. Environment variable indirection — replace direct ${{ inputs.* }} and ${{ matrix.release.* }} interpolation in run: blocks with environment variables (${INPUT_BRANCH}, ${RELEASE_VERSION}, etc.) to prevent script injection

Why

Using ${{ }} expressions directly in run: blocks is a known script injection vector. While the current inputs are validated or come from trusted sources, using env vars is a defense-in-depth best practice.

/kind cleanup

Submitter Checklist

Release Notes

NONE

@vdemeester
fix: harden patch-release workflow against script injection
5ff0d65 
- Add permissions: {} for least-privilege
- Add persist-credentials: false on checkout
- Use environment variables instead of direct ${{ }} interpolation
  in run: blocks to prevent script injection attacks

Aligns with the same hardening applied in tektoncd/pipeline#9671.
@tekton-robot tekton-robot added kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. release-note-none Denotes a PR that doesnt merit a release note. labels May 12, 2026
@tekton-robot tekton-robot requested review from khrm and pramodbindal May 12, 2026 09:32
@tekton-robot tekton-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label May 12, 2026
@jkhelil
Copy link
Copy Markdown
Member

jkhelil commented May 12, 2026

/approve

@tekton-robot
Copy link
Copy Markdown
Contributor

tekton-robot commented May 12, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jkhelil

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@khrm khrm Awaiting requested review from khrm

@pramodbindal pramodbindal Awaiting requested review from pramodbindal

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. release-note-none Denotes a PR that doesnt merit a release note. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vdemeester @jkhelil @tekton-robot