ci(deploy-camunda): fix path-traversal in extra-values validator and log leak

Address copilot review findings on #6429:

- registry_validator.go: reject relative extra-values paths that escape
  chart-full-setup via `..` traversal (filepath.Rel guard). Add
  TestRegistryValidatorRejectsExtraValuesPathTraversal to pin this.
- test-integration-runner.yaml: replace all four `tee /tmp/extra-values-file.yaml`
  instances with a plain redirect to avoid printing potentially sensitive
  values content into workflow logs.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: Ian-wang-liyang

.github/workflows/test-integration-runner.yaml

@@ -528,8 +528,7 @@ jobs:
           ENTRA_APP_OBJECT_ID: ${{ steps.setup.outputs.ENTRA_APP_OBJECT_ID }}
           ENTRA_APP_DIRECTORY_ID: ${{ steps.setup.outputs.ENTRA_APP_DIRECTORY_ID }}
         run: |
-          echo "Extra values from workflow:"
-          echo "$EXTRA_VALUES" | tee /tmp/extra-values-file.yaml
+          echo "$EXTRA_VALUES" > /tmp/extra-values-file.yaml
           deploy-camunda entra update-redirect-uris \
             --ingress-host "$TEST_INGRESS_HOST" \
             --log-level info
@@ -548,11 +547,10 @@ jobs:
         env:
           EXTRA_VALUES: ${{ inputs.extra-values }}
         run: |
-          # Persist user-supplied extra values for `deploy-camunda matrix run` to consume.
-          # The runner uses a fixed location (/tmp/extra-values-file.yaml) which is added to
-          # the helm values chain by deploy.Execute via flags.Deployment.ExtraValues.
-          echo "Extra values from workflow:"
-          echo "$EXTRA_VALUES" | tee /tmp/extra-values-file.yaml
+          # Persist user-supplied extra values for `deploy-camunda matrix run` to consume
+          # via --extra-values (flags.Deployment.ExtraValues → digest-overlay strip).
+          # Written without echoing to stdout to avoid leaking sensitive values into logs.
+          echo "$EXTRA_VALUES" > /tmp/extra-values-file.yaml
 
       - name: Helm - OCI Registry Login
         if: inputs.helmChartVersion != ''
@@ -904,8 +902,7 @@ jobs:
           ENTRA_APP_OBJECT_ID: ${{ steps.setup.outputs.ENTRA_APP_OBJECT_ID }}
           ENTRA_APP_DIRECTORY_ID: ${{ steps.setup.outputs.ENTRA_APP_DIRECTORY_ID }}
         run: |
-          echo "Extra values from workflow:"
-          echo "$EXTRA_VALUES" | tee /tmp/extra-values-file.yaml
+          echo "$EXTRA_VALUES" > /tmp/extra-values-file.yaml
           deploy-camunda entra update-redirect-uris \
             --ingress-host "$TEST_INGRESS_HOST" \
             --log-level info
@@ -1043,10 +1040,9 @@ jobs:
           # `matrix run` runs upgrade as two steps and applies --extra-values to
           # Step 2 only (runner_upgrade.go nils Step 1's copy), so the run-built
           # image tag lands on the upgraded chart without contaminating the
-          # previous-version install. The tee runs here unconditionally so the file
-          # exists regardless of auth type (the OIDC configure step also tees it).
-          echo "Extra values from workflow:"
-          echo "$EXTRA_VALUES" | tee /tmp/extra-values-file.yaml
+          # previous-version install. Written without echoing to stdout to avoid
+          # leaking potentially sensitive values into workflow logs.
+          echo "$EXTRA_VALUES" > /tmp/extra-values-file.yaml
           EXTRA_VALUES_ARGS=()
           if [[ -s /tmp/extra-values-file.yaml ]] && grep -q '[^[:space:]]' /tmp/extra-values-file.yaml; then
             EXTRA_VALUES_ARGS=(--extra-values /tmp/extra-values-file.yaml)

scripts/deploy-camunda/matrix/registry_test.go

@@ -438,6 +438,22 @@ func TestRegistryValidatorRejectsMissingExtraValues(t *testing.T) {
 	}
 }
 
+// TestRegistryValidatorRejectsExtraValuesPathTraversal pins the traversal
+// guard in checkExtraValues: a relative path that escapes chart-full-setup
+// via `..` must be rejected even if the target file exists on disk.
+func TestRegistryValidatorRejectsExtraValuesPathTraversal(t *testing.T) {
+	abs := absChartDir(t)
+	cfg, err := LoadRegistry(abs)
+	if err != nil {
+		t.Fatalf("LoadRegistry: %v", err)
+	}
+	cfg.Integration.Case.PR.Scenarios[0].ExtraValues = []string{"../../etc/passwd"}
+	err = (&RegistryValidator{ChartDir: abs}).Validate(cfg)
+	if err == nil || !strings.Contains(err.Error(), "escapes chart-full-setup") {
+		t.Fatalf("want path-traversal rejection, got: %v", err)
+	}
+}
+
 // TestRegistryValidatorRejectsMissingDepValuesFile exercises checkDep.
 // values-file paths are repo-root-relative (matching runner.go:1742); a
 // dangling reference must be caught at validation, not at deploy time.

scripts/deploy-camunda/matrix/registry_validator.go

@@ -102,6 +102,12 @@ func (v *RegistryValidator) Validate(cfg *CITestConfig) error {
 			return
 		}
 		path := filepath.Join(chartFullSetupDir, ev)
+		// Reject paths that escape chart-full-setup via `..` traversal.
+		rel, err := filepath.Rel(chartFullSetupDir, path)
+		if err != nil || strings.HasPrefix(rel, "..") {
+			problems = append(problems, fmt.Sprintf("%s: extra-values %q: path escapes chart-full-setup dir", ctx, ev))
+			return
+		}
 		if info, err := os.Stat(path); err != nil || info.IsDir() {
 			problems = append(problems, fmt.Sprintf("%s: extra-values %q: missing values file at %s", ctx, ev, path))
 		}