github: workflows: security update

[edsiper]

Changes Made

• pr-integration-test.yaml: blocked the exploit path by preventing fork PRs from reaching the pull_request_target privileged build/integration jobs; kept PR labeling with minimal pull-
  requests: write.
• pr-perf-test.yaml: applied the same same-repo gating for the secret-bearing performance workflow and tightened permissions on PR comment/label jobs.
• Added explicit least-privilege permissions to previously implicit workflows: pr-labels.yaml, pr-commit-message.yaml, pr-compile-check.yaml, pr-fuzz.yaml, pr-lint.yaml, commit-
  lint.yaml, pr-windows-build.yaml, skipped-unit-tests.yaml.
• Added explicit permissions to reusable/trusted wrappers so no workflow is left on implicit defaults: call-test-images.yaml, call-test-packages.yaml, master-integration-test.yaml,
  staging-build.yaml, staging-test.yaml, build-branch-containers.yaml, build-master-packages.yaml, cron-stale.yaml, cron-trivy.yaml.
• Verification: all workflow YAML parses cleanly, and the post-change scan found no workflow file left without an explicit permissions block.

Residual Risks / Manual Review Needed

• pr-integration-test.yaml and pr-perf-test.yaml still use pull_request_target, but only for metadata operations or same-repo trusted branches. Fork PRs no longer execute privileged
  code there.
• Mutable refs remain and should be pinned to full commit SHAs in a follow-up: google/oss-fuzz/...@master, aquasecurity/trivy-action@master, ludeeus/action-shellcheck@master, and the
  external reusable workflow fluent/fluent-bit-ci/...@main in pr-perf-test.yaml.
• staging-release.yaml still contains a maintainer-only permissions: write-all release job. It is outside the untrusted PR threat path, but it is broader than ideal and worth narrowing separately.

Short summary: the exploitable fork PR pattern is removed by stopping fork-controlled code from running inside privileged pull_request_target jobs, and every workflow now declares
explicit token permissions. The main side effect is intentional: labeled fork PRs will no longer run the privileged integration/performance workflows; maintainers will need a same-repo
branch or another trusted trigger for those cases.

GitHub Actions Security Audit

Workflow file	Trigger	Risk	Finding	Fix
build-branch-containers.yaml	workflow_dispatch	Low	Trusted manual wrapper had no explicit permissions	Added explicit contents: read + job packages: write only where needed
build-legacy-branch.yaml	workflow_dispatch	Low	Trusted manual image publish flow already scoped	No change
build-master-packages.yaml	push, workflow_dispatch	Low	Trusted wrapper had no explicit permissions	Added explicit contents: read
call-build-images.yaml	workflow_call	Medium	Trusted reusable publishes to GHCR; uses mutable trivy-action@master in trusted path	No behavior change; residual pinning follow-
up
call-build-linux-packages.yaml	workflow_call	Low	Trusted reusable with explicit perms already	No change
call-build-macos.yaml	workflow_call	Low	Trusted reusable with explicit perms already	No change
call-build-windows.yaml	workflow_call	Low	Trusted reusable with explicit perms already	No change
call-integration-image-build.yaml	workflow_call	Medium	Trusted reusable pushes integration images	No change
call-run-integration-test.yaml	workflow_call	Medium	Trusted reusable uses cloud secrets; explicit perms already	No change
call-test-images.yaml	workflow_call	Low	Read-only test workflow had no explicit permissions	Added permissions: contents: read
call-test-packages.yaml	workflow_call	Low	Read-only package test workflow had no explicit permissions	Added permissions: contents: read
call-windows-unit-tests.yaml	workflow_call	Low	Trusted reusable with explicit perms already	No change
commit-lint.yaml	pull_request, push	Low	Default token permissions	Added permissions: contents: read
cron-scorecards-analysis.yaml	schedule, push, workflow_dispatch	Low	Explicit read-all already present	No change
cron-stale.yaml	schedule	Low	Repo mutation workflow had no explicit permissions	Added only issues: write and pull-requests: write
cron-trivy.yaml	push, schedule, workflow_dispatch	Medium	Trusted scan workflow had no explicit permissions; mutable trivy-action@master	Added explicit read/security-events
permissions
cron-unstable-build.yaml	schedule, workflow_dispatch	Medium	Trusted publish flow already uses explicit perms	No change
master-integration-test.yaml	push	Medium	Trusted privileged reusable calls had no explicit permissions	Added explicit contents: read / packages: write on build job
pr-closed-docker.yaml	pull_request closed	Low	Metadata/package cleanup only; explicit perms already	No change
pr-commit-message.yaml	pull_request	Low	Default token permissions	Added permissions: contents: read
pr-compile-check.yaml	pull_request, workflow_dispatch	Low	Read-only CI inherited default token perms	Added permissions: contents: read
pr-fuzz.yaml	pull_request	Low	Missing explicit perms; SARIF upload needs security-events	Added contents: read + security-events: write
pr-image-tests.yaml	pull_request	Low	Read-only PR testing; explicit job perms already	No change
pr-install-script.yaml	pull_request	Low	Already least-privilege	No change
pr-integration-test.yaml	pull_request_target	High	Checked out PR head SHA in privileged context and exposed secrets/write token path	Kept labeling flow but gated privileged
jobs to same-repo PRs only; forks no longer execute privileged build/test path; added explicit perms
pr-labels.yaml	pull_request_target	Low	Metadata-only labeler had no explicit perms	Added only pull-requests: write
pr-lint.yaml	pull_request, workflow_dispatch	Low	Read-only lint inherited default token perms	Added permissions: contents: read
pr-package-tests.yaml	pull_request	Medium	Label-gated untrusted build/test flow, but not privileged for forks and no pull_request_target	No change
pr-perf-test.yaml	pull_request_target	High	Secret-bearing external reusable workflow on PR branch state	Gated secret-bearing run to same-repo PRs only; forks no longer reach
privileged path; added explicit perms
pr-windows-build.yaml	pull_request, workflow_dispatch	Low	Read-only reusable calls had no explicit perms	Added permissions: contents: read
skipped-unit-tests.yaml	pull_request	Low	No-op required-check workflow had no explicit perms	Added permissions: contents: read
staging-build.yaml	push tags, workflow_dispatch	Medium	Trusted staging publish wrapper had no explicit permissions	Added explicit least-privilege perms per job
staging-release.yaml	workflow_dispatch	Medium	Trusted maintainer-only release flow; broad perms exist intentionally in release jobs	No change
staging-test.yaml	workflow_run, workflow_dispatch	Medium	Trusted post-staging follow-up had no explicit permissions	Added explicit contents: read per workflow/job
unit-tests.yaml	push, pull_request, workflow_dispatch	Low	Explicit perms already present	No change
update-dockerhub.yaml	workflow_dispatch	Low	Trusted manual workflow already scoped	No change

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

• Chores
  • Standardized and tightened CI workflow permissions across jobs and workflows to reduce excess access.
  • Added per-job permission declarations and stricter run conditions for some PR and integration flows.
  • Pinned select automation actions to fixed revisions for more reliable, secure builds and scans.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0d2d0daa-7279-4f6d-9f46-b322724fec17

📥 Commits

Reviewing files that changed from the base of the PR and between bd66f1a and 54bb68b.

📒 Files selected for processing (2)

• .github/workflows/cron-trivy.yaml
• .github/workflows/pr-labels.yaml

---

📝 Walkthrough

Walkthrough

Adds explicit GitHub Actions permissions across many workflow files (mostly contents: read), with selective packages: write, security-events: write, and pull-requests: write; also pins a few action usages to specific commit hashes and tightens some PR/job conditional guards. (≤50 words)

Changes

Cohort / File(s)	Summary
Top-level & read-only workflows .github/workflows/... build-master-packages.yaml, call-test-images.yaml, call-test-packages.yaml, commit-lint.yaml, pr-compile-check.yaml, pr-lint.yaml, pr-windows-build.yaml, skipped-unit-tests.yaml	Added top-level and/or job-level permissions: contents: read. Formatting-only minor edits in a few files.
Branch/build/package workflows .github/workflows/... build-branch-containers.yaml, staging-build.yaml, master-integration-test.yaml	Added workflow- and job-level permissions; some jobs now include packages: write for artifact publishing.
Security scanning & fuzzing .github/workflows/... cron-trivy.yaml, pr-fuzz.yaml	Added security-events: write and contents: read; pinned two aquasecurity/trivy-action uses to a specific commit hash.
PR integration, guards & sequencing .github/workflows/... pr-integration-test.yaml, pr-perf-test.yaml, pr-commit-message.yaml	Tightened run conditions (repo/head checks, job ordering), added per-job permissions (contents: read, packages: write, pull-requests: write), and replaced some action refs with pinned commits.
Labeling / stale / perf workflows .github/workflows/... pr-labels.yaml, cron-stale.yaml, pr-perf-test.yaml	Added pull-requests: write or issues: write where required, updated labeling action refs to specific commit hashes, and extended label step inputs.
Staging & test flows .github/workflows/... staging-test.yaml, staging-build.yaml, master-integration-test.yaml	Applied permissions: contents: read (and packages: read where noted) at top-level and per-job; no other control-flow changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• github: workflows: security update #11533 — Similar changes to GitHub Actions workflows: adding explicit permissions and pinning action refs.

Suggested reviewers

• niedbalski
• patrick-stephens

Poem

"I nibble YAML lines by night,
I tuck each workflow safe and tight,
A pinned hash here, a guard set right,
Least privilege blooms beneath the light. 🐇"

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'github: workflows: security update' directly aligns with the PR's primary objective of hardening GitHub Actions workflows through explicit permissions declarations and security fixes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch security-pr-target

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/call-test-images.yaml:
- Around line 39-40: The workflow only grants contents: read but uses
docker/login-action to access GHCR, which requires packages: read; update the
permissions block in this reusable workflow (the permissions: contents: read
declaration) to include packages: read (e.g., add packages: read alongside
contents: read) and also ensure the caller workflow (staging-test.yaml, the
caller of this reusable workflow) has packages: read in its permissions so the
caller's token can authenticate for GHCR pulls; verify docker/login-action usage
remains unchanged after adding packages: read.

In @.github/workflows/cron-trivy.yaml:
- Around line 27-29: The workflow grants SARIF upload privileges via
permissions: security-events: write but calls the mutable reference
aquasecurity/trivy-action@master in two places; replace both occurrences of
aquasecurity/trivy-action@master with the corresponding full commit SHAs (pinned
commit SHAs) so the job running with security-events: write cannot be changed by
branch updates, and ensure both invocations are updated to the intended fixed
SHAs.

In @.github/workflows/pr-integration-test.yaml:
- Around line 41-42: The workflow grants elevated permission "pull-requests:
write" in the label jobs running on the pull_request_target context but
references the mutable action tag actions-ecosystem/action-add-labels@v1; update
both occurrences of that action reference used by the label jobs to pinned
commit SHAs (replace the `@v1` tag with the full commit SHA for
actions-ecosystem/action-add-labels) so the action is immutable while keeping
the permission "pull-requests: write" and the rest of the job configuration
unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1764bcf5-bc01-4f65-808a-0b87ec8e5bb6

📥 Commits

Reviewing files that changed from the base of the PR and between a1d9c2a and 553338b.

📒 Files selected for processing (19)

• .github/workflows/build-branch-containers.yaml
• .github/workflows/build-master-packages.yaml
• .github/workflows/call-test-images.yaml
• .github/workflows/call-test-packages.yaml
• .github/workflows/commit-lint.yaml
• .github/workflows/cron-stale.yaml
• .github/workflows/cron-trivy.yaml
• .github/workflows/master-integration-test.yaml
• .github/workflows/pr-commit-message.yaml
• .github/workflows/pr-compile-check.yaml
• .github/workflows/pr-fuzz.yaml
• .github/workflows/pr-integration-test.yaml
• .github/workflows/pr-labels.yaml
• .github/workflows/pr-lint.yaml
• .github/workflows/pr-perf-test.yaml
• .github/workflows/pr-windows-build.yaml
• .github/workflows/skipped-unit-tests.yaml
• .github/workflows/staging-build.yaml
• .github/workflows/staging-test.yaml

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 553338b8c0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restore packages read permission for image tests

call-test-images.yaml now limits GITHUB_TOKEN to contents: read, but this reusable workflow performs authenticated GHCR logins (docker/login-action in the image verification jobs) and is invoked from staging-test.yaml with secrets.GITHUB_TOKEN. In runs where the staging image/package is not fully public (a common/default GHCR setup), removing packages: read causes registry auth/pulls to fail, so the staging image test workflow will fail before tests execute.

Useful? React with 👍 / 👎.

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/pr-labels.yaml (1)

7-8: Consider adding contents: read for consistency with other hardened workflows.

The permission block only declares pull-requests: write. While this is functionally sufficient for the labeling action, other similar workflows in this PR (e.g., context snippet 1 shows pr-labels.yaml with both contents: read and per-job pull-requests: write) include explicit contents: read at the top level. Adding it here would maintain consistency and explicitly document the minimal read access.

♻️ Suggested change for consistency

 permissions:
+  contents: read
   pull-requests: write

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pr-labels.yaml around lines 7 - 8, Add the missing
top-level permissions entry by updating the permissions block in pr-labels.yaml
to include contents: read alongside the existing pull-requests: write; locate
the permissions section (the "permissions:" block containing "pull-requests:
write") and add a "contents: read" entry to match other hardened workflows and
explicitly grant minimal read access.

.github/workflows/cron-trivy.yaml (1)

27-29: Job-level permissions duplicate top-level declaration.

The trivy-latest job declares the same permissions already set at the workflow level (lines 15-18). While this is not incorrect and follows defense-in-depth principles, it's redundant since job-level permissions cannot exceed workflow-level permissions. Consider removing the job-level block if you prefer DRY, or keep it for explicit documentation—either approach is acceptable.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/cron-trivy.yaml around lines 27 - 29, The job-level
permissions block under the trivy-latest job is redundant because the same
permissions (contents: read, security-events: write) are already declared at the
top-level; remove the permissions: block from the trivy-latest job (i.e., delete
the job-scoped permissions entry) so the job inherits the workflow-level
permissions, or if you prefer to keep it for clarity leave it — but to follow
DRY, remove the job-level permissions under the trivy-latest job.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/cron-trivy.yaml:
- Around line 27-29: The job-level permissions block under the trivy-latest job
is redundant because the same permissions (contents: read, security-events:
write) are already declared at the top-level; remove the permissions: block from
the trivy-latest job (i.e., delete the job-scoped permissions entry) so the job
inherits the workflow-level permissions, or if you prefer to keep it for clarity
leave it — but to follow DRY, remove the job-level permissions under the
trivy-latest job.

In @.github/workflows/pr-labels.yaml:
- Around line 7-8: Add the missing top-level permissions entry by updating the
permissions block in pr-labels.yaml to include contents: read alongside the
existing pull-requests: write; locate the permissions section (the
"permissions:" block containing "pull-requests: write") and add a "contents:
read" entry to match other hardened workflows and explicitly grant minimal read
access.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3e008063-050a-4485-b174-955f83f8dc0c

📥 Commits

Reviewing files that changed from the base of the PR and between 553338b and bd66f1a.

📒 Files selected for processing (6)

• .github/workflows/call-test-images.yaml
• .github/workflows/cron-trivy.yaml
• .github/workflows/pr-integration-test.yaml
• .github/workflows/pr-labels.yaml
• .github/workflows/pr-perf-test.yaml
• .github/workflows/staging-test.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/staging-test.yaml