fix(security): eliminate CI injection vectors and pin actions (#1)

- Move all github.event.* expressions from run: to env: blocks (CWE-94)
  - spell-check.yml: changed_files via env var
  - markdown-link-check.yml: changed_files via temp file input
  - ai-spec-drafter.yml: issue.number via env var
  - ai-test-generator.yml: pull_request.number via env var
  - ai-release-notes.yml: release.tag_name via env var
  - sbom.yml: release.tag_name via env var
- Redact secret scanner output to prevent secret leaks to CI logs (CWE-200)
- SHA-pin dtolnay/rust-toolchain (the only unpinned action) (CWE-829)
- Add missing permissions: block to markdown-link-check.yml (CWE-250)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: imran-siddique

.github/workflows/ai-release-notes.yml

@@ -32,8 +32,10 @@ jobs:
         id: prs
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          EVENT_TAG: ${{ github.event.release.tag_name }}
+          INPUT_TAG: ${{ inputs.tag }}
         run: |
-          TAG="${{ github.event.release.tag_name || inputs.tag }}"
+          TAG="${EVENT_TAG:-$INPUT_TAG}"
           if [ -z "$TAG" ]; then
             TAG=$(gh release list --limit 1 --json tagName -q '.[0].tagName' 2>/dev/null || echo "")
           fi

.github/workflows/ai-spec-drafter.yml

@@ -125,7 +125,8 @@ jobs:
       - name: Comment on issue
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
         run: |
-          gh issue comment ${{ github.event.issue.number }} \
+          gh issue comment "$ISSUE_NUMBER" \
             --body "🤖 An engineering spec has been drafted and a PR created. Please review the PR for the full specification." \
             || true

.github/workflows/ai-test-generator.yml

@@ -44,8 +44,9 @@ jobs:
         id: changes
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
         run: |
-          FILES=$(gh pr diff ${{ github.event.pull_request.number }} --name-only \
+          FILES=$(gh pr diff "$PR_NUMBER" --name-only \
             | grep -E '^packages/[^/]+/src/.*\.py$' || true)
           if [ -z "$FILES" ]; then
             echo "skip=true" >> "$GITHUB_OUTPUT"

.github/workflows/ci.yml

@@ -403,7 +403,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
       - name: Build
         working-directory: packages/agent-mesh/sdks/rust/agentmesh
         run: cargo build --release

.github/workflows/markdown-link-check.yml

@@ -6,6 +6,9 @@ on:
       - '**/*.md'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   link-check:
     runs-on: ubuntu-latest
@@ -20,12 +23,15 @@ jobs:
           files: |
             **/*.md
 
+      - name: Write changed files list
+        if: steps.changed-files.outputs.any_changed == 'true'
+        env:
+          CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
+        run: printf '%s\n' $CHANGED_FILES > "$RUNNER_TEMP/changed-md-files.txt"
+
       - name: Run Link Checker
         if: steps.changed-files.outputs.any_changed == 'true'
         uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2.8.0
         with:
-          # Configuration is defined here directly in YAML (no JSON file needed)
-          # --exclude-loopback: ignores localhost/127.0.0.1
-          # --verbose: shows details in the logs
-          args: --verbose --no-progress --exclude-loopback ${{ steps.changed-files.outputs.all_changed_files }}
+          args: --verbose --no-progress --exclude-loopback --input "${{ runner.temp }}/changed-md-files.txt"
           fail: true

.github/workflows/sbom.yml

@@ -49,8 +49,9 @@ jobs:
         if: github.event_name == 'release'
         env:
           GH_TOKEN: ${{ github.token }}
+          RELEASE_TAG: ${{ github.event.release.tag_name }}
         run: |
-          gh release upload "${{ github.event.release.tag_name }}" \
+          gh release upload "$RELEASE_TAG" \
             sbom.spdx.json \
             sbom.cdx.json \
             --clobber

.github/workflows/secret-scanning.yml

@@ -55,7 +55,7 @@ jobs:
               2>/dev/null || true)
             if [ -n "$MATCHES" ]; then
               echo "::warning::Potential secrets found matching pattern: $pattern"
-              echo "$MATCHES" | head -5
+              echo "$MATCHES" | head -5 | sed 's/:.*/:***REDACTED***/'
               FOUND=1
             fi
           done

.github/workflows/spell-check.yml

@@ -33,4 +33,6 @@ jobs:
 
       - name: Check spelling
         if: steps.changed-markdown.outputs.any_changed == 'true'
-        run: cspell --config .cspell.json --no-progress ${{ steps.changed-markdown.outputs.all_changed_files }}
+        env:
+          CHANGED_FILES: ${{ steps.changed-markdown.outputs.all_changed_files }}
+        run: cspell --config .cspell.json --no-progress $CHANGED_FILES