fix(ci): harden against template injection and credential exposure

Refs: PSEC-923
Repo: wolfi-dev/wolfi-act
Scan date: 2026-05-03
Patches: 4

Summary

This patch series addresses security findings from zizmor --persona=auditor across
the workflows and composite action in wolfi-dev/wolfi-act. The four patches are
atomic by change type and apply cleanly in order.

Patch 0001 — fix(ci): resolve template injection findings; fix env file for container

File changed: action.yml

Six template-injection findings identified in the composite action's single run: block.
All six involved ${{ inputs.* }} template expressions evaluated by GitHub Actions before
the shell runs. The affected expressions were:

• ${{inputs.debug}} — passed as a single-quoted shell value
• ${{inputs.command}} — used in an empty check and passed to bash for execution
• ${{inputs.packages}} — used for package list iteration
• ${{ inputs.apko-image }} — passed as a docker image argument
• ${{ inputs.command }} (×2) — echoed and passed as the script to bash -c

Fix: Added an env: block (before run: for readability) with four variables:
INPUT_DEBUG, INPUT_COMMAND, INPUT_PACKAGES, INPUT_APKO_IMAGE. Updated all six
in-shell references to use "${VAR}" double-quoted expansions. The single-quote shell
context was intentional to protect against glob expansion, but the GitHub Actions template
is evaluated before the shell sees the script, so single-quoting does not prevent injection
of special characters from input values.

Also in this patch: Changed env > wolfi-act.github.env to a while loop over
env -0 to safely filter INPUT_* variables and any vars with embedded newlines before
passing the env file to any line-oriented consumer. Moving inputs to env: variables
causes INPUT_COMMAND (a multi-line shell script) to appear in the runner's environment.
Plain env outputs multi-line values as raw newlines, so a simple grep -v '^INPUT_'
only removes the first line — continuation lines pass through and break consumers expecting
one NAME=VALUE per line. A grep -z -v $'\n' filter to drop multi-line records also
fails: grep -v returns exit code 1 when nothing is filtered out, which kills the
pipeline under set -o pipefail. The while loop over env -0 (null-terminated
records) avoids both problems: each record is processed atomically regardless of embedded
newlines, and the loop always exits 0.

Note: inputs.command is by design user-supplied executable shell code (the entire purpose
of wolfi-act is to run arbitrary commands in a Wolfi ephemeral container). Moving to an env
var prevents template injection at the Actions layer; the command still executes as bash.
See manual-review.md for a documentation recommendation.

Patch 0002 — fix(ci): add persist-credentials: false and scope workflow permissions

File changed: .github/workflows/ci.yml

Artipacked (2 findings): Both actions/checkout steps in ci.yml (jobs ci and
ci-debug) lacked persist-credentials: false. Neither job performs any git write
operations after checkout, and the action under test (./) uses its own Docker-based
ephemeral runner that does not use the git credential store. persist-credentials: false
is correct.

Excessive permissions (3 findings): ci.yml had no workflow-level permissions: block
(defaulting to broad implicit permissions) and no per-job permissions: blocks. Both jobs
only require contents: read (for checkout). Fixed by:

• Adding permissions: {} at workflow level (deny-all default)
• Adding permissions: { contents: read } explicitly to both ci and ci-debug jobs

No changes to build.yml — its existing permissions: blocks are correctly scoped
(contents: read at workflow level; packages: write and id-token: write at build-job
level for GHCR push and cosign keyless signing respectively).

Patch 0003 — fix(ci): add pedantic persona and suppress noisy zizmor rules

Files changed: .github/workflows/zizmor.yaml, .github/zizmor.yml

zizmor persona: Added persona: pedantic to the zizmorcore/zizmor-action step in
zizmor.yaml. This switches from the default regular persona to pedantic, catching
all ${{ }} template expansions in run: blocks (not only attacker-controlled sources).

Paths triggers: Added paths: filters to both pull_request and push triggers in
zizmor.yaml to include action.yml, .github/dependabot.yml, and .github/zizmor.yml.
The action.yml entry is necessary because wolfi-act's composite action definition lives at
the repo root (not under .github/), so changes to it would otherwise not trigger the check.

Rule suppression in .github/zizmor.yml: Added three disabled rules:

• anonymous-definition — pedantic-only, no security impact (cosmetic)
• undocumented-permissions — pedantic-only, pure documentation style
• concurrency-limits — low security value, generates 4 findings in this repo alone

These suppressed the 4 concurrency-limits, 4 anonymous-definition, and 1
undocumented-permissions findings that are noise without actionable remediation.

Patch 0004 — fix(ci): quote $PWD in docker run arguments (SC2086)

File changed: action.yml

Two occurrences of -v ${PWD}:/work \ in docker run commands were unquoted.
Quoted to -v "${PWD}":/work \ to prevent word splitting on paths with spaces
(SC2086). No logic change.

Findings not auto-fixed

1 × stale-action-refs — build.yml:31

wolfi-dev/wolfi-act@c7bc05c8af23bca710b267e0db3b39c939eb7b02 # main is a self-referential
pin (the workflow references itself). zizmor flags this SHA as not corresponding to a Git
tag. Requires an online check to determine if a tag has since been created for this commit.
Documented in manual-review.md.

Finding counts

Refs: PSEC-923