ci: harden workflow permissions and fix shellcheck warnings (#99)

* ci: add least-privilege permissions and quote shell variables in CI workflow * ci: restrict root permissions and quote shell variables in test-coverage workflow * ci: quote shell variables and group redirects in release workflow
2026-03-12 10:00:59 +00:00 · 2026-03-08 03:45:56 +02:00
parent f6b0f864b4
commit e58397a75d
3 changed files with 20 additions and 10 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,9 +8,13 @@ on:
  pull_request:
    branches: [main, develop]

+permissions: {}
+
 jobs:
  test:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read

    strategy:
      fail-fast: false
@@ -33,7 +37,7 @@ jobs:

      - name: Get composer cache directory
        id: composer-cache
-        run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
+        run: echo "dir=$(composer config cache-files-dir)" >> "$GITHUB_OUTPUT"

      - name: Cache composer dependencies
        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
@@ -63,6 +67,8 @@ jobs:
  coverage:
    runs-on: ubuntu-latest
    name: Coverage
+    permissions:
+      contents: read

    steps:
      - name: Checkout code
@@ -92,6 +98,8 @@ jobs:
  security:
    runs-on: ubuntu-latest
    name: Security Analysis
+    permissions:
+      contents: read

    steps:
      - name: Checkout code
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -39,7 +39,7 @@ jobs:

      - name: Get tag name
        id: tag
-        run: echo "name=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+        run: echo "name=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"

      - name: Extract changelog for this version
        id: changelog
@@ -49,14 +49,16 @@ jobs:
            # Get content between this version and next version header
            awk '/^## \[${{ steps.tag.outputs.name }}\]/{flag=1; next} /^## \[/{flag=0} flag' CHANGELOG.md > /tmp/changelog.txt
            if [ -s /tmp/changelog.txt ]; then
-              echo "content<<EOF" >> $GITHUB_OUTPUT
-              cat /tmp/changelog.txt >> $GITHUB_OUTPUT
-              echo "EOF" >> $GITHUB_OUTPUT
+              {
+                echo "content<<EOF"
+                cat /tmp/changelog.txt
+                echo "EOF"
+              } >> "$GITHUB_OUTPUT"
            else
-              echo "content=Release ${{ steps.tag.outputs.name }}" >> $GITHUB_OUTPUT
+              echo "content=Release ${{ steps.tag.outputs.name }}" >> "$GITHUB_OUTPUT"
            fi
          else
-            echo "content=Release ${{ steps.tag.outputs.name }}" >> $GITHUB_OUTPUT
+            echo "content=Release ${{ steps.tag.outputs.name }}" >> "$GITHUB_OUTPUT"
          fi

      - name: Archive source code
--- a/.github/workflows/test-coverage.yaml
+++ b/.github/workflows/test-coverage.yaml
@@ -8,7 +8,7 @@ on:
  push:
    branches: [main]

-permissions: read-all
+permissions: {}

 jobs:
  test:
@@ -51,8 +51,8 @@ jobs:

      - name: "Add Code Coverage to Job Summary"
        run: |
-          cat code-coverage-summary.md >> $GITHUB_STEP_SUMMARY
-          cat code-coverage-details.md >> $GITHUB_STEP_SUMMARY
+          cat code-coverage-summary.md >> "$GITHUB_STEP_SUMMARY"
+          cat code-coverage-details.md >> "$GITHUB_STEP_SUMMARY"

      - name: "Add Code Coverage Summary as PR Comment"
        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4