Merge pull request #196 from LerianStudio/fix/coderabbit-pr195-review-findings

bedatty · web-flow · commit f2e73da01c7f · 2026-04-01T12:14:10.000-03:00
fix(security): address CodeRabbit PR#195 review findings
diff --git a/.cursor/rules/reusable-workflows.mdc b/.cursor/rules/reusable-workflows.mdc
@@ -127,8 +127,8 @@ runs-on: self-hosted
 
 Every reusable workflow must:
 - support `workflow_call` (for external callers)
-- support `workflow_dispatch` (for manual testing)
 - expose explicit `inputs` — never rely on implicit context
+- **must NOT** include a `workflow_dispatch` trigger — if manual/interactive dispatch is needed, create a separate self-workflow under `.github/workflows/self-*`
 - **always include a `dry_run` input** (`type: boolean`, `default: false`) so the workflow can be safely tested before applying real changes
 
 ```yaml
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -123,7 +123,7 @@ on:
         type: boolean
         default: false
       docker_build_args:
-        description: 'Newline-separated Docker build arguments to pass to docker build (e.g., "APP_NAME=spi\nCOMPONENT_NAME=api"). Forwarded to docker/build-push-action build-args.'
+        description: 'Newline-separated Docker build arguments (e.g., "APP_NAME=spi\nCOMPONENT_NAME=api"). For sensitive values (tokens, keys, passwords), use BuildKit secrets instead — build arguments are visible in image history.'
         type: string
         required: false
         default: ''
@@ -139,7 +139,6 @@ on:
 permissions:
   contents: read
   packages: write
-  id-token: write
 
 jobs:
   prepare:
@@ -208,6 +207,10 @@ jobs:
     if: needs.prepare.outputs.has_builds == 'true'
     runs-on: ${{ inputs.runner_type }}
     name: Build ${{ matrix.app.name }}
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     strategy:
       max-parallel: 2
       fail-fast: false
@@ -320,7 +323,7 @@ jobs:
           ENABLE_GHCR: ${{ inputs.enable_ghcr }}
           DOCKERHUB_ORG: ${{ inputs.dockerhub_org }}
           APP_NAME: ${{ matrix.app.name }}
-          GHCR_ORG: ${{ steps.normalize.outputs.owner_lower }}
+          GHCR_ORG: ${{ inputs.ghcr_org || steps.normalize.outputs.owner_lower }}
         run: |
           REFS=""
 
@@ -341,7 +344,7 @@ jobs:
 
       - name: Sign container images with cosign
         if: inputs.enable_cosign_sign
-        uses: LerianStudio/github-actions-shared-workflows/src/security/cosign-sign@feat/cosign-sign
+        uses: LerianStudio/github-actions-shared-workflows/src/security/cosign-sign@v1.23.0
         with:
           image-refs: ${{ steps.cosign-refs.outputs.refs }}
 
diff --git a/.github/workflows/go-release.yml b/.github/workflows/go-release.yml
@@ -75,7 +75,6 @@ on:
 permissions:
   contents: write
   packages: write
-  id-token: write
 
 jobs:
   release:
@@ -144,6 +143,10 @@ jobs:
   docker:
     name: Build and Push Docker Image
     runs-on: ${{ inputs.runner_type }}
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     needs: release
     if: inputs.enable_docker && startsWith(github.ref, 'refs/tags/v')
 
@@ -194,7 +197,7 @@ jobs:
 
       - name: Sign container images with cosign
         if: inputs.enable_cosign_sign
-        uses: LerianStudio/github-actions-shared-workflows/src/security/cosign-sign@feat/cosign-sign
+        uses: LerianStudio/github-actions-shared-workflows/src/security/cosign-sign@v1.23.0
         with:
           image-refs: ${{ steps.cosign-refs.outputs.refs }}
 
diff --git a/.github/workflows/pr-security-scan.yml b/.github/workflows/pr-security-scan.yml
@@ -68,7 +68,7 @@ on:
         type: boolean
         default: true
       docker_build_args:
-        description: 'Newline-separated Docker build arguments to pass to docker build (e.g., "APP_NAME=spi\nCOMPONENT_NAME=api"). Forwarded to docker/build-push-action build-args.'
+        description: 'Newline-separated Docker build arguments (e.g., "APP_NAME=spi\nCOMPONENT_NAME=api"). For sensitive values (tokens, keys, passwords), use BuildKit secrets instead — build arguments are visible in image history.'
         type: string
         required: false
         default: ''
diff --git a/.github/workflows/typescript-build.yml b/.github/workflows/typescript-build.yml
@@ -148,7 +148,6 @@ on:
 permissions:
   contents: read
   packages: write
-  id-token: write
 
 jobs:
   prepare:
@@ -250,6 +249,10 @@ jobs:
     if: needs.prepare.outputs.has_builds == 'true'
     runs-on: ${{ inputs.runner_type }}
     name: Build ${{ matrix.app.name }}
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     strategy:
       max-parallel: 2
       fail-fast: false
@@ -333,7 +336,7 @@ jobs:
 
       - name: Sign container images with cosign
         if: inputs.enable_cosign_sign && !inputs.dry_run && steps.cosign-refs.outputs.refs != ''
-        uses: LerianStudio/github-actions-shared-workflows/src/security/cosign-sign@feat/cosign-sign
+        uses: LerianStudio/github-actions-shared-workflows/src/security/cosign-sign@v1.23.0
         with:
           image-refs: ${{ steps.cosign-refs.outputs.refs }}
 
diff --git a/docs/build-workflow.md b/docs/build-workflow.md
@@ -225,7 +225,7 @@ jobs:
 
 ```bash
 cosign verify \
-  --certificate-identity-regexp=".*" \
+  --certificate-identity-regexp="^https://github.com/LerianStudio/.*/.github/workflows/.*@refs/heads/.*$" \
   --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
   docker.io/lerianstudio/my-app@sha256:abc123...
 ```
diff --git a/docs/go-release-workflow.md b/docs/go-release-workflow.md
@@ -204,7 +204,7 @@ jobs:
 
 ```bash
 cosign verify \
-  --certificate-identity-regexp=".*" \
+  --certificate-identity-regexp="^https://github.com/LerianStudio/.*/.github/workflows/.*@refs/heads/.*$" \
   --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
   ghcr.io/myorg/my-app@sha256:abc123...
 ```
diff --git a/docs/typescript-build.md b/docs/typescript-build.md
@@ -37,6 +37,7 @@ on:
 permissions:
   contents: read
   packages: write
+  id-token: write   # required for cosign keyless signing
 
 jobs:
   build:
@@ -230,7 +231,7 @@ jobs:
 
 ```bash
 cosign verify \
-  --certificate-identity-regexp=".*" \
+  --certificate-identity-regexp="^https://github.com/LerianStudio/.*/.github/workflows/.*@refs/heads/.*$" \
   --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
   ghcr.io/lerianstudio/my-app@sha256:abc123...
 ```
diff --git a/src/security/cosign-sign/README.md b/src/security/cosign-sign/README.md
@@ -46,7 +46,7 @@ jobs:
       - name: Sign container image
         uses: LerianStudio/github-actions-shared-workflows/src/security/cosign-sign@v1.x.x
         with:
-          image-refs: myorg/myapp@${{ steps.build-push.outputs.digest }}
+          image-refs: docker.io/myorg/myapp@${{ steps.build-push.outputs.digest }}
 ```
 
 ### Signing multiple registries
@@ -64,7 +64,7 @@ jobs:
 
 ```bash
 cosign verify \
-  --certificate-identity-regexp=".*" \
+  --certificate-identity-regexp="^https://github.com/LerianStudio/.*/.github/workflows/.*@refs/heads/.*$" \
   --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
   docker.io/myorg/myapp@sha256:abc123...
 ```
