From 2c704c5ea7d536fcf115ef67501115f3a69d533d Mon Sep 17 00:00:00 2001
From: Lucas Rodriguez <lucas.rodriguez9616@gmail.com>
Date: Thu, 4 Apr 2024 23:30:56 -0500
Subject: [PATCH 1/2] fix: use env var for PR title in commitlint workflow to
 prevent untrusted script injection (#2418)

## Description
Our OSSF scorecard workflow flagged this as a `Critical` security risk.
Unsure of whether there is a real attack vector in our specific case.
Using an environment variable to capture untrusted input in workflows is
a documented security hardening best practice by GitHub as well.

This should also boost our OSSF scorecard score since we have a `0` on
this check.

<img width="969" alt="image"
src="https://github.com/defenseunicorns/zarf/assets/87675701/a07c699f-3601-44f2-b181-36f91f3637f8">

`Dangerous-Workflow` check:
-
https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#dangerous-workflow

Risk of script injections:
-
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections

Example script injection attack:
-
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#example-of-a-script-injection-attack

Recommended fix that this PR implements:
-
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable

## Type of change
- [x] Other (security config, docs update, etc)

## Checklist before merging

- [x] Test, docs, adr added or updated as needed
- [x] [Contributor Guide
Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow)
followed
---
 .github/workflows/commitlint.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml
index b25a1b28db..39838c5298 100644
--- a/.github/workflows/commitlint.yml
+++ b/.github/workflows/commitlint.yml
@@ -24,4 +24,6 @@ jobs:
         run: npm install --save-dev @commitlint/{config-conventional,cli}
 
       - name: Lint PR title
-        run: echo "${{ github.event.pull_request.title }}" | npx commitlint
+        env:
+          PR_TITLE: ${{ github.event.pull_request.title }}
+        run: echo "$PR_TITLE" | npx commitlint

From 7cf34a5cf370a8eb23d2a22e63410d4e51eb5614 Mon Sep 17 00:00:00 2001
From: Blake Burkhart <bburky@bburky.com>
Date: Fri, 5 Apr 2024 00:37:36 -0500
Subject: [PATCH 2/2] fix: use default GITHUB_TOKEN for ossf/scorecard-action
 (#2416)

## Description

Zarf's branch protection was switched to rulesets instead of classic
branch protection (temporarily in evaluate mode). A PAT is no longer
needed. See:
https://github.com/ossf/scorecard-action#authentication-with-fine-grained-pat-optional

## Type of change

- [x] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Checklist before merging

- [ ] Test, docs, adr added or updated as needed
- [ ] [Contributor Guide
Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow)
followed

Co-authored-by: razzle <harry@razzle.cloud>
---
 .github/workflows/scorecard.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml
index 1dcc7704ac..f98ea7bdd1 100644
--- a/.github/workflows/scorecard.yaml
+++ b/.github/workflows/scorecard.yaml
@@ -31,7 +31,6 @@ jobs:
         with:
           results_file: results.sarif
           results_format: sarif
-          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
           publish_results: true
 
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF