MINOR: fix some GHA run syntax (#17471)

Reviewers: Chia-Ping Tsai <[email protected]>

.github/actions/gh-api-approve-run/action.yml

@@ -43,9 +43,13 @@ runs:
       shell: bash
       env:
         GH_TOKEN: ${{ inputs.gh-token }}
+        REPO: ${{ inputs.repository }}
+        RUN_ID: ${{ inputs.run_id }}
+        PR_NUMBER: ${{ inputs.pr_number }}
+        COMMIT_SHA: ${{ inputs.commit_sha }}
       run: |
-        echo "Approving workflow run ${{ inputs.run_id }} for PR ${{ inputs.pr_number }} at SHA ${{ inputs.commit_sha }}";
+        echo "Approving workflow run $RUN_ID for PR $PR_NUMBER at SHA $COMMIT_SHA";
         gh api --method POST \
               -H 'Accept: application/vnd.github+json' \
               -H 'X-GitHub-Api-Version: 2022-11-28' \
-              /repos/${{ inputs.repository }}/actions/runs/${{ inputs.run_id }}/approve
+              /repos/$REPO/actions/runs/$RUN_ID/approve

.github/actions/gh-api-update-status/action.yml

@@ -53,9 +53,15 @@ runs:
       shell: bash
       env:
         GH_TOKEN: ${{ inputs.gh-token }}
+        REPO: ${{ inputs.repository }}
+        COMMIT_SHA: ${{ inputs.commit_sha }}
+        STATE: ${{ inputs.state }}
+        URL: ${{ inputs.url }}
+        DESCRIPTION: ${{ inputs.description }}
+        CONTEXT: ${{ inputs.context }}
       run: |
         gh api --method POST -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" \
-        /repos/${{ inputs.repository }}/statuses/${{ inputs.commit_sha }} \
-        -f "state=${{ inputs.state }}" -f "target_url=${{ inputs.url }}" \
-        -f "description=${{ inputs.description }}" \
-        -f "context=${{ inputs.context }}"
+        /repos/$REPO/statuses/$COMMIT_SHA \
+        -f "state=$STATE" -f "target_url=$URL" \
+        -f "description=$DESCRIPTION" \
+        -f "context=$CONTEXT"

.github/workflows/README.md

@@ -19,6 +19,38 @@ By default, GitHub sends an email for each failed action run. To change this,
 visit https://github.com/settings/notifications and find System -> Actions.
 Here you can change your notification preferences.
 
+## Security
+
+Please read the following GitHub articles before authoring new workflows.
+
+1) https://github.blog/security/supply-chain-security/four-tips-to-keep-your-github-actions-workflows-secure/
+2) https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
+
+### Variable Injection
+
+Any workflows that use the `run` directive should avoid using the `${{ ... }}` syntax.
+Instead, declare all injectable variables as environment variables. For example:
+
+```yaml
+    - name: Copy RC Image to promoted image
+      env:
+        PROMOTED_DOCKER_IMAGE: ${{ github.event.inputs.promoted_docker_image }}
+        RC_DOCKER_IMAGE: ${{ github.event.inputs.rc_docker_image }}
+      run: |
+        docker buildx imagetools create --tag $PROMOTED_DOCKER_IMAGE $RC_DOCKER_IMAGE
+```
+
+This prevents untrusted inputs from doing script injection in the `run` steps.
+
+### `pull_request_target` events
+
+In addition to the above security articles, please review the [official documentation](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target)
+on `pull_request_target`. This event type allows PRs to trigger actions that run
+with elevated permission and access to repository secrets. We should only be 
+using this for very simple tasks such as applying labels or adding comments to PRs.
+
+_We must never run the untrusted PR code in the elevated `pull_request_target` context_
+
 ## GitHub Actions Quirks
 
 ### Composite Actions

.github/workflows/build.yml

@@ -63,15 +63,15 @@ jobs:
           gradle-cache-write-only: ${{ inputs.gradle-cache-write-only }}
           develocity-access-key: ${{ secrets.GE_ACCESS_TOKEN }}
       - name: Compile and validate
+        env:
+          SCAN_ARG: ${{ inputs.is-public-fork && '--no-scan' || '--scan' }}
         # Gradle flags
         # --build-cache:  Let Gradle restore the build cache
         # --info:         For now, we'll generate lots of logs while setting up the GH Actions
         # --scan:         Publish the build scan. This will only work on PRs from apache/kafka and trunk
         # --no-scan:      For public fork PRs, we won't attempt to publish the scan
         run: |
-          ./gradlew --build-cache --info  \
-          ${{ inputs.is-public-fork && '--no-scan' || '--scan' }} \
-          check -x test
+          ./gradlew --build-cache --info $SCAN_ARG check -x test
       - name: Archive check reports
         if: always()
         uses: actions/upload-artifact@v4

.github/workflows/ci-requested.yml

@@ -43,6 +43,7 @@ jobs:
       - name: Check PR Labels
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
           RUN_ID: ${{ github.event.workflow_run.id }}
           HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
           HEAD_REPO: ${{ github.event.workflow_run.head_repository.owner.login }}
@@ -56,7 +57,7 @@ jobs:
           PR_NUMBER=$(gh api \
             -H "Accept: application/vnd.github+json" \
             -H "X-GitHub-Api-Version: 2022-11-28" \
-            /repos/${{ github.repository }}/pulls?head=$HEAD_REPO:$HEAD_BRANCH \
+            /repos/$REPO/pulls?head=$HEAD_REPO:$HEAD_BRANCH \
             --jq '.[0].number')
           if [ -z "$PR_NUMBER" ]; then
             echo "Could not find the PR that triggered this workflow request";

.github/workflows/deflake.yml

@@ -54,15 +54,19 @@ jobs:
       - name: Test
         timeout-minutes: 60
         id: junit-test
+        env:
+          TEST_REPEAT: ${{ inputs.test-repeat }}
+          TEST_MODULE: ${{ inputs.test-module }}
+          TEST_PATTERN: ${{ inputs.test-pattern }}
         run: |
           set +e
           ./gradlew --info --build-cache --scan --continue \
           -PtestLoggingEvents=started,passed,skipped,failed \
           -PignoreFailures=true -PmaxParallelForks=2 \
-          -Pkafka.cluster.test.repeat=${{ inputs.test-repeat }} \
-          -PmaxTestRetries=${{ inputs.test-repeat }} -PmaxTestRetryFailures=0 \
-          -PmaxQuarantineTestRetries=${{ inputs.test-repeat }} -PmaxQuarantineTestRetryFailures=0 \
-          ${{ inputs.test-module }}:test ${{ inputs.test-module }}:quarantinedTest --tests ${{ inputs.test-pattern }}
+          -Pkafka.cluster.test.repeat=$TEST_REPEAT \
+          -PmaxTestRetries=$TEST_REPEAT -PmaxTestRetryFailures=0 \
+          -PmaxQuarantineTestRetries=$TEST_REPEAT -PmaxQuarantineTestRetryFailures=0 \
+          ${TEST_MODULE}:test ${TEST_MODULE}:quarantinedTest --tests $TEST_PATTERN
           exitcode="$?"
           echo "exitcode=$exitcode" >> $GITHUB_OUTPUT
       - name: Archive JUnit reports

.github/workflows/docker_build_and_test.yml

@@ -43,8 +43,11 @@ jobs:
         pip install -r docker/requirements.txt
     - name: Build image and run tests
       working-directory: ./docker
+      env:
+        IMAGE_TYPE: ${{ github.event.inputs.image_type }}
+        KAFKA_URL: ${{ github.event.inputs.kafka_url }}
       run: |
-        python docker_build_test.py kafka/test -tag=test -type=${{ github.event.inputs.image_type }} -u=${{ github.event.inputs.kafka_url }}
+        python docker_build_test.py kafka/test -tag=test -type=$IMAGE_TYPE -u=$KAFKA_URL
     - name: Run CVE scan
       uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
       with:

.github/workflows/docker_official_image_build_and_test.yml

@@ -42,8 +42,11 @@ jobs:
         pip install -r docker/requirements.txt
     - name: Build image and run tests
       working-directory: ./docker
+      env:
+        IMAGE_TYPE: ${{ github.event.inputs.image_type }}
+        KAFKA_VERSION: ${{ github.event.inputs.kafka_version }}
       run: |
-        python docker_official_image_build_test.py kafka/test -tag=test -type=${{ github.event.inputs.image_type }} -v=${{ github.event.inputs.kafka_version }}
+        python docker_official_image_build_test.py kafka/test -tag=test -type=$IMAGE_TYPE -v=$KAFKA_VERSION
     - name: Run CVE scan
       uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
       with:

.github/workflows/docker_promote.yml

@@ -40,5 +40,8 @@ jobs:
         username: ${{ secrets.DOCKERHUB_USER }}
         password: ${{ secrets.DOCKERHUB_TOKEN }}
     - name: Copy RC Image to promoted image
+      env:
+        PROMOTED_DOCKER_IMAGE: ${{ github.event.inputs.promoted_docker_image }}
+        RC_DOCKER_IMAGE: ${{ github.event.inputs.rc_docker_image }}
       run: |
-        docker buildx imagetools create --tag ${{ github.event.inputs.promoted_docker_image }} ${{ github.event.inputs.rc_docker_image }}
+        docker buildx imagetools create --tag $PROMOTED_DOCKER_IMAGE $RC_DOCKER_IMAGE

.github/workflows/docker_rc_release.yml

@@ -56,5 +56,9 @@ jobs:
         username: ${{ secrets.DOCKERHUB_USER }}
         password: ${{ secrets.DOCKERHUB_TOKEN }}
     - name: Release the RC docker image
+      env:
+        RC_DOCKER_IMAGE: ${{ github.event.inputs.rc_docker_image }}
+        KAFKA_URL: ${{ github.event.inputs.kafka_url }}
+        IMAGE_TYPE: ${{ github.event.inputs.image_type }}
       run: |
-        python docker/docker_release.py ${{ github.event.inputs.rc_docker_image }} --kafka-url ${{ github.event.inputs.kafka_url }} --image-type ${{ github.event.inputs.image_type }}
+        python docker/docker_release.py $RC_DOCKER_IMAGE --kafka-url $KAFKA_URL --image-type $IMAGE_TYPE

.github/workflows/prepare_docker_official_image_source.yml

@@ -42,8 +42,11 @@ jobs:
         pip install -r docker/requirements.txt
     - name: Build Docker Official Image Artifact
       working-directory: ./docker
+      env:
+        IMAGE_TYPE: ${{ github.event.inputs.image_type }}
+        KAFKA_VERSION: ${{ github.event.inputs.kafka_version }}
       run: |
-        python prepare_docker_official_image_source.py -type=${{ github.event.inputs.image_type }} -v=${{ github.event.inputs.kafka_version }}
+        python prepare_docker_official_image_source.py -type=$IMAGE_TYPE -v=$KAFKA_VERSION
     - name: Upload Docker Official Image Artifact
       if: success()
       uses: actions/upload-artifact@v4