feat(security): harden all actions following security recommendations

build-push-notify/action.yml

@@ -53,13 +53,13 @@ runs:
         fi
       shell: bash
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
     - name: Login to registry
-      uses: docker/login-action@v3
+      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
       with:
         registry: ${{ inputs.REGISTRY_URL }}
         username: ${{ inputs.REGISTRY_USERNAME }}
@@ -69,10 +69,12 @@ runs:
       env:
         PRE_BUILD_COMMANDS: ${{ inputs.PRE_BUILD_COMMANDS }}
       run: |
-        $PRE_BUILD_COMMANDS
+        while IFS= read -r cmd; do
+          [ -n "$cmd" ] && bash -c "$cmd"
+        done <<< "$PRE_BUILD_COMMANDS"
       shell: bash
     - name: Build
-      uses: docker/build-push-action@v6.2.0
+      uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
       with:
         context: ${{ inputs.CONTEXT }}
         file: ${{ inputs.DOCKERFILE }}

code-analysis-notify/action.yml

@@ -32,7 +32,7 @@ runs:
         fi
       shell: bash
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
     - name: Run checks
       uses: IMIO/code-analysis-action@7969d657a907cb4d3b8e426481ba41a44cb57554  # main as of 2026-03-13
       with:

helm-release-notify/action.yml

@@ -41,10 +41,10 @@ runs:
         fi
       shell: bash
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       with:
         fetch-depth: 0
-    - uses: actions/create-github-app-token@v1
+    - uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
       id: app-token
       with:
         app-id: ${{ inputs.APP_ID }}

helm-test-notify/action.yml

@@ -32,26 +32,26 @@ runs:
         fi
       shell: bash
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       with:
         fetch-depth: 0
     - name: Set up Helm
-      uses: azure/setup-helm@v4.2.0
+      uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
       with:
         version: ${{ inputs.HELM_VERSION }}
-    - uses: actions/setup-python@v5
+    - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
       with:
         python-version: ${{ inputs.PYTHON_VERSION }}
         check-latest: true
     - name: Set up chart-testing
-      uses: helm/chart-testing-action@v2.6.1
+      uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
     - name: Run chart-testing (lint)
       env:
         DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
       run: ct lint --chart-dirs . --charts . --target-branch "$DEFAULT_BRANCH"
       shell: bash
     - name: Create kind cluster
-      uses: helm/kind-action@v1.10.0
+      uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
     - name: Run chart-testing (install)
     #  run: ct install --chart-dirs . --charts . --target-branch ${{ github.event.repository.default_branch }}
     # can't use it until https://github.com/helm/chart-testing/issues/310 is resolved

k8s-update-tag/action.yml

@@ -29,9 +29,10 @@ runs:
       shell: bash
     - name: Install yq
       run: |
-        sudo wget https://github.com/mikefarah/yq/releases/download/v4.47.2/yq_linux_amd64 -O /usr/local/bin/yq
-        echo "1bb99e1019e23de33c7e6afc23e93dad72aad6cf2cb03c797f068ea79814ddb0  /usr/local/bin/yq" | sha256sum -c
-        sudo chmod +x /usr/local/bin/yq
+        wget https://github.com/mikefarah/yq/releases/download/v4.47.2/yq_linux_amd64 -O /tmp/yq
+        echo "1bb99e1019e23de33c7e6afc23e93dad72aad6cf2cb03c797f068ea79814ddb0  /tmp/yq" | sha256sum -c
+        sudo install -m 0755 /tmp/yq /usr/local/bin/yq
+        rm /tmp/yq
       shell: bash
     - name: Configure Git and repository
       env:
@@ -40,9 +41,11 @@ runs:
         REPO_URL: ${{ inputs.REPO_URL }}
         TARGET_BRANCH: ${{ inputs.TARGET_BRANCH }}
       run: |
-        git clone "https://${REPO_TOKEN_NAME}:${REPO_ACCESS_TOKEN}@${REPO_URL}" repo
+        # Store credentials in .netrc to avoid leaking them in git URLs / process listing
+        printf 'machine %s\nlogin %s\npassword %s\n' "${REPO_URL%%/*}" "$REPO_TOKEN_NAME" "$REPO_ACCESS_TOKEN" > ~/.netrc
+        chmod 600 ~/.netrc
+        git clone "https://${REPO_URL}" repo
         cd repo
-        # Remove credentials from remote URL to avoid leaking them via git remote -v
         git remote set-url origin "https://${REPO_URL}"
         git config --global user.email "github-ci@imio.be"
         git config --global user.name "GitHub Actions CI"
@@ -53,9 +56,6 @@ runs:
         VALUES_FILE_PATH: ${{ inputs.VALUES_FILE_PATH }}
         TAG: ${{ inputs.TAG }}
         TARGET_BRANCH: ${{ inputs.TARGET_BRANCH }}
-        REPO_TOKEN_NAME: ${{ inputs.REPO_TOKEN_NAME }}
-        REPO_ACCESS_TOKEN: ${{ inputs.REPO_ACCESS_TOKEN }}
-        REPO_URL: ${{ inputs.REPO_URL }}
       run: |
         cd repo
         # Update the tag in the values file
@@ -64,5 +64,7 @@ runs:
         # Add and commit changes
         git add "$VALUES_FILE_PATH"
         git commit --allow-empty -m "CI Automated Deploy of $VALUES_FILE_PATH with tag $TAG"
-        git push "https://${REPO_TOKEN_NAME}:${REPO_ACCESS_TOKEN}@${REPO_URL}" "HEAD:${TARGET_BRANCH}"
+        git push origin "HEAD:${TARGET_BRANCH}"
+        # Clear stored credentials
+        rm -f ~/.netrc
       shell: bash

plone-package-test-notify/action.yml

@@ -46,17 +46,17 @@ runs:
         fi
       shell: bash
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
     - name: Cache eggs
       if: ${{ inputs.CACHE_KEY != '' }}
-      uses: actions/cache@v4
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
       env:
         cache-name: cache-eggs
       with:
         path: ./eggs
         key: ${{ inputs.CACHE_KEY }}
     - name: Install uv and set the python version
-      uses: astral-sh/setup-uv@v6
+      uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
       with:
         python-version: ${{ inputs.PYTHON_VERSION }}
         version: ${{ inputs.UV_VERSION }}
@@ -70,7 +70,7 @@ runs:
         errors=0
         for command in "${commands[@]}"; do
           echo "Running command: $command"
-          $command || errors=$((errors + 1))
+          bash -c "$command" || errors=$((errors + 1))
         done
         [ "$errors" -eq 0 ]
     - name: Run buildout
@@ -80,13 +80,16 @@ runs:
         BUILDOUT_CONFIG_FILE: ${{ inputs.BUILDOUT_CONFIG_FILE }}
       shell: bash
       run: |
-        $BUILDOUT_COMMAND $BUILDOUT_OPTIONS -c "$BUILDOUT_CONFIG_FILE" buildout:eggs-directory=./eggs
+        read -ra buildout_cmd <<< "$BUILDOUT_COMMAND"
+        read -ra buildout_opts <<< "$BUILDOUT_OPTIONS"
+        "${buildout_cmd[@]}" "${buildout_opts[@]}" -c "$BUILDOUT_CONFIG_FILE" buildout:eggs-directory=./eggs
     - name: Run tests
       env:
         TEST_COMMAND: ${{ inputs.TEST_COMMAND }}
       shell: bash
       run: |
-        eval "$TEST_COMMAND"
+        read -ra cmd <<< "$TEST_COMMAND"
+        "${cmd[@]}"
     - name : Send notification on Mattermost
       if: ${{ inputs.MATTERMOST_WEBHOOK_URL != '' }}
       env:

plone-theme-build-push-notify/action.yml

@@ -54,7 +54,7 @@ runs:
         THEME_PATH: ${{ inputs.THEME_PATH }}
         ACTION_PATH: ${{ github.action_path }}
       run: |
-        python3 "$ACTION_PATH/theme_uploader.py" "$PLONE_URL" "$PLONE_USERNAME" "$PLONE_PASSWORD" "$THEME_PATH" theme.zip
+        python3 "$ACTION_PATH/theme_uploader.py" "$PLONE_URL" "$THEME_PATH" theme.zip
       shell: bash
     - name : Send notification on Mattermost
       if: ${{ inputs.MATTERMOST_WEBHOOK_URL != '' }}

plone-theme-build-push-notify/theme_uploader.py

@@ -10,15 +10,16 @@
 
 from bs4 import BeautifulSoup
 
+import os
 import requests
 import requests.cookies
 import sys
 
 INSTANCE_URL = sys.argv[1]
-USERNAME = sys.argv[2]
-PASSWORD = sys.argv[3]
-THEME_PATH = sys.argv[4]
-THEME_FILENAME = sys.argv[5]
+USERNAME = os.environ["PLONE_USERNAME"]
+PASSWORD = os.environ["PLONE_PASSWORD"]
+THEME_PATH = sys.argv[2]
+THEME_FILENAME = sys.argv[3]
 
 
 def authenticate(

repository-dispatch-notify/action.yml

@@ -43,7 +43,7 @@ runs:
         sudo apt-get update && sudo apt-get install -y jq
       fi
     shell: bash
-  - uses: actions/create-github-app-token@v1
+  - uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
     id: app-token
     with:
       app-id: ${{ inputs.APP_ID }}
@@ -70,13 +70,13 @@ runs:
     shell: bash
   - name : Send notification on Mattermost
     if: ${{ inputs.MATTERMOST_WEBHOOK_URL != '' }}
-    uses: IMIO/gha/mattermost-notify@v4
+    uses: IMIO/gha/mattermost-notify@ec02349a0f486af868fc78489425e65e3b3e0c23 # v6.1.0
     with:
       MATTERMOST_WEBHOOK_URL: ${{ inputs.MATTERMOST_WEBHOOK_URL }}
       MESSAGE: "Repository dispatch event triggered on repository ${{ inputs.REPOSITORY }}"
   - name : Send failure notification on Mattermost
     if: ${{ failure() && inputs.MATTERMOST_WEBHOOK_URL != '' }}
-    uses: IMIO/gha/mattermost-notify@v4
+    uses: IMIO/gha/mattermost-notify@ec02349a0f486af868fc78489425e65e3b3e0c23 # v6.1.0
     with:
       MATTERMOST_WEBHOOK_URL: ${{ inputs.MATTERMOST_WEBHOOK_URL }}
       MESSAGE: "An error has been encountered while dispatching the event on repository ${{ inputs.REPOSITORY }}"

rundeck-notify/action.yml

@@ -37,7 +37,9 @@ runs:
         RUNDECK_PARAMETERS: ${{ inputs.RUNDECK_PARAMETERS }}
       run: |
         params=()
-        eval "params=($RUNDECK_PARAMETERS)"
+        if [ -n "$RUNDECK_PARAMETERS" ]; then
+          mapfile -t params <<< "$RUNDECK_PARAMETERS"
+        fi
         curl --fail-with-body "${params[@]}" -H "X-Rundeck-Auth-Token: $RUNDECK_TOKEN" "$RUNDECK_URL/api/18/job/$RUNDECK_JOB_ID/run/" -o rundeck-response.json
         echo "JOB_NAME=$(jq -r .job.name rundeck-response.json)" >> "$GITHUB_OUTPUT"
         echo "JOB_EXECUTION_PERMALINK=$(jq -r .permalink rundeck-response.json)" >> "$GITHUB_OUTPUT"

tag-notify/action.yml

@@ -36,13 +36,13 @@ runs:
         fi
       shell: bash
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
     - name: Login to registry
-      uses: docker/login-action@v3
+      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
       with:
         registry: ${{ inputs.REGISTRY_URL }}
         username: ${{ inputs.REGISTRY_USERNAME }}