Harden workflows for OpenSSF scorecard (#79)

Signed-off-by: Davanum Srinivas <dsrinivas@nvidia.com>

Author: dims

.github/actions/README.md

@@ -77,7 +77,7 @@ This action runs `tools/setup-tools --skip-go --skip-docker` in auto mode, which
 ```yaml
 - uses: ./.github/actions/load-versions
   id: versions
-- uses: actions/setup-go@v5
+- uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5  # v6.2.0
   with:
     go-version: ${{ steps.versions.outputs.go }}
 ```
@@ -282,7 +282,7 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       - uses: ./.github/actions/load-versions
         id: versions
       - uses: ./.github/actions/go-ci
@@ -299,7 +299,7 @@ jobs:
   release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       - uses: ./.github/actions/load-versions
         id: versions
       - uses: ./.github/actions/go-ci

.github/workflows/codeql.yaml

@@ -34,13 +34,15 @@ on:
     - cron: '0 5 * * 1'
 
 permissions:
-  actions: read
   contents: read
-  security-events: write
 
 jobs:
   analyze:
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       - uses: ./.github/actions/load-versions

.github/workflows/kwok-recipes.yaml

@@ -39,7 +39,6 @@ on:
         type: string
 
 permissions:
-  actions: read
   contents: read
 
 concurrency:
@@ -54,6 +53,8 @@ jobs:
     outputs:
       recipes: ${{ steps.find.outputs.recipes }}
       recipe_count: ${{ steps.find.outputs.recipe_count }}
+    permissions:
+      contents: read
     steps:
       - name: Checkout Code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
@@ -113,6 +114,8 @@ jobs:
       max-parallel: 4
       matrix:
         recipe: ${{ fromJSON(needs.discover.outputs.recipes) }}
+    permissions:
+      contents: read
     steps:
       - name: Checkout Code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
@@ -137,6 +140,8 @@ jobs:
     needs: [discover, test]
     runs-on: ubuntu-latest
     if: always()
+    permissions:
+      contents: read
     steps:
       - name: Check test results
         run: |

.github/workflows/on-push-comment.yaml

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # This workflow posts coverage comments on PRs after the main workflow completes.
-# Using workflow_run gives us write permissions even for fork PRs.
+# Uses workflow_run with guarded checkout to avoid executing untrusted code.
 # See: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
 
 name: Post PR Comment
@@ -26,15 +26,17 @@ on:
 
 permissions:
   actions: read        # Required to download artifacts from other workflow runs
-  contents: read       # Required to checkout repository for go.mod and changed-files
   pull-requests: write
 
 jobs:
   post-coverage-comment:
     name: Post Coverage Comment
     runs-on: ubuntu-latest
     # Run for PRs regardless of conclusion - coverage might exist even if other steps failed
-    if: github.event.workflow_run.event == 'pull_request'
+    if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.head_repository.fork == false
+    permissions:
+      actions: read
+      pull-requests: write
     steps:
       - name: Checkout for go.mod version
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
@@ -58,7 +60,7 @@ jobs:
         with:
           name: coverage-pr
           path: /tmp/pr-coverage
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ github.token }}
           run-id: ${{ github.event.workflow_run.id }}
 
       - name: Download Coverage Metadata
@@ -68,14 +70,14 @@ jobs:
         with:
           name: coverage-comment-data
           path: /tmp/coverage-comment-data
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ github.token }}
           run-id: ${{ github.event.workflow_run.id }}
 
       - name: Download Baseline Coverage
         id: download-baseline
         if: steps.download-pr.outcome == 'success'
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ github.token }}
         run: |
           set -e
           mkdir -p /tmp/baseline-coverage
@@ -111,25 +113,41 @@ jobs:
             echo "mode: set" > /tmp/baseline-coverage/coverage.out
           fi
 
-      - name: Checkout for changed-files action
-        if: steps.download-pr.outcome == 'success'
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          ref: ${{ github.event.workflow_run.head_sha }}
-          fetch-depth: 0
-
       - name: Get Changed Files
         id: changed-files
         if: steps.download-pr.outcome == 'success'
-        uses: tj-actions/changed-files@aa08304bd477b800d468db44fe10f6c61f7f7b11  # v46.0.5
-        with:
-          write_output_files: true
-          json: true
-          files: "**.go"
-          files_ignore: |
-            vendor/**
-            **_test.go
-          output_dir: .github/outputs
+        shell: bash
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          mkdir -p .github/outputs
+
+          PR_URL="${{ github.event.workflow_run.pull_requests[0].url }}"
+          if [[ -z "$PR_URL" || "$PR_URL" == "null" ]]; then
+            echo "No PR URL found in workflow_run payload. Skipping changed files." >&2
+            echo "any_changed=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          FILES_JSON=$(curl -sS \
+            -H "Authorization: Bearer $GH_TOKEN" \
+            -H "Accept: application/vnd.github+json" \
+            "$PR_URL/files?per_page=300")
+
+          echo "$FILES_JSON" | jq -c '
+            [.[] |
+              select(.filename | endswith(".go")) |
+              select(.filename | test("^vendor/") | not) |
+              select(.filename | test("_test\\.go$") | not) |
+              .filename
+            ]' > .github/outputs/all_modified_files.json
+
+          if [[ "$(cat .github/outputs/all_modified_files.json)" == "[]" ]]; then
+            echo "any_changed=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "any_changed=true" >> "$GITHUB_OUTPUT"
+          fi
 
       - name: Generate Coverage Delta Report
         id: delta

.github/workflows/on-push.yaml

@@ -32,10 +32,7 @@ on:
   workflow_dispatch: {}  # Allow manual runs
 
 permissions:
-  actions: read
   contents: read
-  id-token: write
-  pull-requests: write
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -47,6 +44,8 @@ jobs:
     name: Unit Tests
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permissions:
+      contents: read
     steps:
 
       - name: Checkout Code
@@ -69,6 +68,8 @@ jobs:
     name: Integration Tests
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permissions:
+      contents: read
     steps:
 
       - name: Checkout Code
@@ -87,6 +88,8 @@ jobs:
     name: E2E Tests
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    permissions:
+      contents: read
     steps:
 
       - name: Checkout Code

.github/workflows/on-tag.yaml

@@ -20,13 +20,7 @@ on:
       - 'v[0-9]+.[0-9]+.[0-9]+'  # Only build tags with semantic versioning format
 
 permissions:
-  actions: read
-  attestations: write
-  contents: write
-  id-token: write
-  packages: write
-  pull-requests: write
-  security-events: write
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -42,6 +36,8 @@ jobs:
     name: Unit Tests
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permissions:
+      contents: read
     steps:
       - name: Checkout Code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
@@ -68,6 +64,8 @@ jobs:
     name: Integration Tests
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permissions:
+      contents: read
     steps:
       - name: Checkout Code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
@@ -85,6 +83,8 @@ jobs:
     name: E2E Tests
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    permissions:
+      contents: read
     steps:
       - name: Checkout Code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
@@ -109,6 +109,11 @@ jobs:
     timeout-minutes: 30
     outputs:
       release_outcome: ${{ steps.release.outputs.release_outcome }}
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
+      attestations: write
     steps:
       - name: Checkout Code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
@@ -139,6 +144,10 @@ jobs:
     needs: [build]
     if: needs.build.outputs.release_outcome == 'success'
     timeout-minutes: 10
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
     steps:
       - name: Checkout Code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
@@ -177,6 +186,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: [attest]
     timeout-minutes: 10
+    permissions:
+      contents: read
+      id-token: write
     env:
       IDENTITY_PROVIDER: 'projects/116689922666/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider'
       SERVICE_ACCOUNT: 'github-actions'

.github/workflows/packaging.yml

@@ -0,0 +1,61 @@
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Packaging Check
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - '.goreleaser.yaml'
+      - '.goreleaser.yml'
+      - '.github/workflows/packaging.yml'
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+
+jobs:
+  package:
+    name: Package (Dry Run)
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+
+      - name: Load versions
+        id: versions
+        uses: ./.github/actions/load-versions
+
+      - name: Setup Go
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5  # v6.2.0
+        with:
+          go-version: ${{ steps.versions.outputs.go }}
+          cache: true
+
+      - name: Setup GoReleaser
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a  # v6.4.0
+        with:
+          install-only: true
+
+      - name: GoReleaser Dry Run
+        env:
+          GORELEASER_CURRENT_TAG: v0.0.0
+        run: |
+          set -euo pipefail
+          goreleaser release --snapshot --clean --skip=publish

.github/workflows/test-deploy.yaml

@@ -24,14 +24,16 @@ on:
 
 permissions:
   contents: read
-  id-token: write
-  packages: read
 
 jobs:
   deploy:
     name: Test Deploy
     runs-on: ubuntu-latest
     timeout-minutes: 10
+    permissions:
+      contents: read
+      id-token: write
+      packages: read
     env:
       IDENTITY_PROVIDER: 'projects/116689922666/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider'
       SERVICE_ACCOUNT: 'github-actions'