fix: code scanning issues (#6063)

.github/actions/e2e/action.yml

@@ -6,7 +6,7 @@ runs:
   steps:
 
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v1
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
       with:
         role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }}
         aws-region: ${{ env.AWS_REGION }}

.github/workflows/ci.yml

@@ -11,9 +11,6 @@ env:
   GOLANGCI_VERSION: 'v2.11.3'
   KUBERNETES_VERSION: '1.33.x'
 
-  # Sonar
-  SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-
 permissions:
   contents: read
 
@@ -51,6 +48,8 @@ jobs:
           egress-policy: audit
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Check License Headers
         uses: apache/skywalking-eyes/header@61275cc80d0798a405cb070f7d3a8aaf7cf2c2c1 # v0.8.0
 
@@ -67,6 +66,8 @@ jobs:
           egress-policy: audit
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v3
       - name: Setup Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -102,6 +103,8 @@ jobs:
           egress-policy: audit
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Fetch History
         run: git fetch --prune --unshallow

.github/workflows/codeql.yml

@@ -31,6 +31,8 @@ jobs:
         egress-policy: audit
     - name: Checkout repository
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
     # Without this, codeql scan builds databases separately for all modules during every run.
     - name: Run go work
       run: make go-work

.github/workflows/crds.yml

@@ -25,6 +25,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Generate crds for testing
         run: make crds.generate.tests

.github/workflows/dependabot-approve.yml

@@ -10,15 +10,17 @@ jobs:
     runs-on: ubuntu-latest
     # Checking the actor will prevent your Action run failing on non-Dependabot
     # PRs but also ensures that it only does work for Dependabot PRs.
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: github.actor == 'dependabot[bot]' && github.event.pull_request.user.login == 'dependabot[bot]'
     steps:
       - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
         with:
           egress-policy: audit
       - uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
         id: app-token
+        env:
+          APP_ID: ${{ secrets.APP_ID }}
         with:
-          app-id: ${{ secrets.APP_ID }}
+          app-id: ${{ env.APP_ID }}
           private-key: ${{ secrets.PRIVATE_KEY }}
       # This first step will fail if there's no metadata and so the approval
       # will not occur.
@@ -40,4 +42,4 @@ jobs:
         run: gh pr merge --auto --squash "$PR_URL"
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}
-          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
+          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"

.github/workflows/dependency-review.yml

@@ -23,5 +23,7 @@ jobs:
 
       - name: 'Checkout Repository'
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4

.github/workflows/dlc.yml

@@ -23,16 +23,22 @@ jobs:
       - name: "Checkout Code"
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         if: ${{ env.HAS_FOSSA_KEY == 'true' }}
+        with:
+          persist-credentials: false
 
       - name: "Run FOSSA Scan"
         uses: fossas/fossa-action@ff70fe9fe17cbd2040648f1c45e8ec4e4884dcf3 # main
         if: ${{ env.HAS_FOSSA_KEY == 'true' }}
+        env:
+          FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }}
         with:
-          api-key: ${{secrets.FOSSA_API_KEY}}
+          api-key: ${{ env.FOSSA_API_KEY }}
 
       - name: "Run FOSSA Test"
         uses: fossas/fossa-action@ff70fe9fe17cbd2040648f1c45e8ec4e4884dcf3 # main
         if: ${{ env.HAS_FOSSA_KEY == 'true' }}
+        env:
+          FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }}
         with:
-          api-key: ${{secrets.FOSSA_API_KEY}}
+          api-key: ${{ env.FOSSA_API_KEY }}
           run-tests: true

.github/workflows/docs.yml

@@ -20,6 +20,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Setup Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -29,10 +30,11 @@ jobs:
       - name: Configure Git
         env:
           TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
         run: |
           git config user.name "$GITHUB_ACTOR"
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
-          git remote set-url origin "https://x-access-token:${{ env.TOKEN }}@github.com/${{ github.repository }}.git"
+          git remote set-url origin "https://x-access-token:${TOKEN}@github.com/${GH_REPO}.git"
 
       - name: Build Docs
         run: make docs.publish

.github/workflows/e2e-managed.yml

@@ -11,38 +11,12 @@ env:
   DOCKER_BUILDX_VERSION: 'v0.4.2'
   GHCR_USERNAME: ${{ github.actor }}
   USE_GKE_GCLOUD_AUTH_PLUGIN: true
-  
-  # GCP variables
-  GCP_SERVICE_ACCOUNT_KEY: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
-  GCP_SM_SA_GKE_JSON: ${{ secrets.GCP_SM_SA_GKE_JSON }}
   GCP_GKE_CLUSTER: e2e
   TF_VAR_GCP_GKE_CLUSTER: e2e
-  GCP_FED_REGION: ${{ secrets.GCP_FED_REGION }}
-  TF_VAR_GCP_FED_REGION: ${{ secrets.GCP_FED_REGION }}
-  GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME }}
-  TF_VAR_GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME }}
-  GCP_FED_PROJECT_ID: ${{ secrets.GCP_FED_PROJECT_ID }}
-  TF_VAR_GCP_FED_PROJECT_ID: ${{ secrets.GCP_FED_PROJECT_ID }}
-  GCP_FED_SERVICE_ACCOUNT_EMAIL: ${{ secrets.GCP_FED_SERVICE_ACCOUNT_EMAIL }}
-  GCP_FED_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_FED_WORKLOAD_IDENTITY_PROVIDER }}
-  
-  # AWS variables
-  AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
-  AWS_SA_NAME: ${{ secrets.AWS_SA_NAME }}
-  AWS_SA_NAMESPACE: ${{ secrets.AWS_SA_NAMESPACE }}
   AWS_REGION: "eu-central-1"
   AWS_CLUSTER_NAME: "eso-e2e-managed"
-  TF_VAR_AWS_SA_NAME: ${{ secrets.AWS_SA_NAME }}
-  TF_VAR_AWS_SA_NAMESPACE: ${{ secrets.AWS_SA_NAMESPACE }}
   TF_VAR_AWS_REGION: "eu-central-1"
   TF_VAR_AWS_CLUSTER_NAME: "eso-e2e-managed"
-  
-  # Azure variables
-  TFC_AZURE_CLIENT_ID: ${{ secrets.TFC_AZURE_CLIENT_ID }}
-  TFC_AZURE_CLIENT_SECRET: ${{ secrets.TFC_AZURE_CLIENT_SECRET }}
-  TFC_AZURE_TENANT_ID: ${{ secrets.TFC_AZURE_TENANT_ID }}
-  TFC_AZURE_SUBSCRIPTION_ID: ${{ secrets.TFC_AZURE_SUBSCRIPTION_ID }}
-  TFC_VAULT_URL: ${{ secrets.TFC_VAULT_URL }}
 
 jobs:
 
@@ -101,6 +75,12 @@ jobs:
       id-token: write
       contents: read
       packages: write
+    env:
+      AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+      AWS_SA_NAME: ${{ secrets.AWS_SA_NAME }}
+      AWS_SA_NAMESPACE: ${{ secrets.AWS_SA_NAMESPACE }}
+      TF_VAR_AWS_SA_NAME: ${{ secrets.AWS_SA_NAME }}
+      TF_VAR_AWS_SA_NAMESPACE: ${{ secrets.AWS_SA_NAMESPACE }}
     steps:
       - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
         with:
@@ -110,6 +90,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: 'refs/pull/${{ github.event.client_payload.pull_request.number }}/merge'
+          persist-credentials: false
 
       - name: Setup Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -141,7 +122,7 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
         with:
-          role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+          role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }}
           aws-region: ${{ env.AWS_REGION }}
 
       - name: Apply Terraform
@@ -176,6 +157,17 @@ jobs:
       id-token: write
       contents: read
       packages: write
+    env:
+      GCP_SERVICE_ACCOUNT_KEY: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
+      GCP_SM_SA_GKE_JSON: ${{ secrets.GCP_SM_SA_GKE_JSON }}
+      GCP_FED_REGION: ${{ secrets.GCP_FED_REGION }}
+      TF_VAR_GCP_FED_REGION: ${{ secrets.GCP_FED_REGION }}
+      GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME }}
+      TF_VAR_GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME }}
+      GCP_FED_PROJECT_ID: ${{ secrets.GCP_FED_PROJECT_ID }}
+      TF_VAR_GCP_FED_PROJECT_ID: ${{ secrets.GCP_FED_PROJECT_ID }}
+      GCP_FED_SERVICE_ACCOUNT_EMAIL: ${{ secrets.GCP_FED_SERVICE_ACCOUNT_EMAIL }}
+      GCP_FED_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_FED_WORKLOAD_IDENTITY_PROVIDER }}
     steps:
       - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
         with:
@@ -185,6 +177,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: 'refs/pull/${{ github.event.client_payload.pull_request.number }}/merge'
+          persist-credentials: false
 
       - name: Setup Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -216,9 +209,9 @@ jobs:
       - name: Authenticate to Google Cloud
         uses: 'google-github-actions/auth@fc2174804b84f912b1f6d334e9463f484f1c552d' # v3
         with:
-          project_id: ${{ secrets.GCP_FED_PROJECT_ID }}
-          service_account: ${{ secrets.GCP_FED_SERVICE_ACCOUNT_EMAIL }}
-          workload_identity_provider: ${{ secrets.GCP_FED_WORKLOAD_IDENTITY_PROVIDER }}
+          project_id: ${{ env.GCP_FED_PROJECT_ID }}
+          service_account: ${{ env.GCP_FED_SERVICE_ACCOUNT_EMAIL }}
+          workload_identity_provider: ${{ env.GCP_FED_WORKLOAD_IDENTITY_PROVIDER }}
           create_credentials_file: true
 
       - name: Apply Terraform
@@ -234,7 +227,7 @@ jobs:
         with:
           cluster_name: '${{ env.GCP_GKE_CLUSTER }}'
           location: 'europe-west1'
-          project_id: '${{ secrets.GCP_FED_PROJECT_ID }}'
+          project_id: '${{ env.GCP_FED_PROJECT_ID }}'
 
       - name: Login to Docker
         uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
@@ -246,7 +239,7 @@ jobs:
 
       - name: Run GCP e2e Tests
         env:
-          GCP_SERVICE_ACCOUNT_KEY: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
+          GCP_SERVICE_ACCOUNT_KEY: ${{ env.GCP_SERVICE_ACCOUNT_KEY }}
         run: |
           export PATH=$PATH:$(go env GOPATH)/bin
           make test.e2e.managed GINKGO_LABELS="gcp && managed" TEST_SUITES="provider"
@@ -264,6 +257,12 @@ jobs:
       id-token: write
       contents: read
       packages: write
+    env:
+      TFC_AZURE_CLIENT_ID: ${{ secrets.TFC_AZURE_CLIENT_ID }}
+      TFC_AZURE_CLIENT_SECRET: ${{ secrets.TFC_AZURE_CLIENT_SECRET }}
+      TFC_AZURE_TENANT_ID: ${{ secrets.TFC_AZURE_TENANT_ID }}
+      TFC_AZURE_SUBSCRIPTION_ID: ${{ secrets.TFC_AZURE_SUBSCRIPTION_ID }}
+      TFC_VAULT_URL: ${{ secrets.TFC_VAULT_URL }}
     steps:
       - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
         with:
@@ -273,6 +272,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: 'refs/pull/${{ github.event.client_payload.pull_request.number }}/merge'
+          persist-credentials: false
 
       - name: Setup Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -304,15 +304,15 @@ jobs:
       - name: Azure CLI login
         uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43
         with:
-          client-id: ${{ secrets.TFC_AZURE_CLIENT_ID }}
-          tenant-id: ${{ secrets.TFC_AZURE_TENANT_ID }}
-          subscription-id: ${{ secrets.TFC_AZURE_SUBSCRIPTION_ID }}
+          client-id: ${{ env.TFC_AZURE_CLIENT_ID }}
+          tenant-id: ${{ env.TFC_AZURE_TENANT_ID }}
+          subscription-id: ${{ env.TFC_AZURE_SUBSCRIPTION_ID }}
 
       - name: Apply Terraform
         env:
-          ARM_CLIENT_ID: "${{ secrets.TFC_AZURE_CLIENT_ID }}"
-          ARM_SUBSCRIPTION_ID: "${{ secrets.TFC_AZURE_SUBSCRIPTION_ID }}"
-          ARM_TENANT_ID: "${{ secrets.TFC_AZURE_TENANT_ID }}"
+          ARM_CLIENT_ID: ${{ env.TFC_AZURE_CLIENT_ID }}
+          ARM_SUBSCRIPTION_ID: ${{ env.TFC_AZURE_SUBSCRIPTION_ID }}
+          ARM_TENANT_ID: ${{ env.TFC_AZURE_TENANT_ID }}
         run: make tf.apply.azure
 
       - name: Get AKS credentials
@@ -334,9 +334,9 @@ jobs:
       - name: Destroy Terraform
         if: always()
         env:
-          ARM_CLIENT_ID: "${{ secrets.TFC_AZURE_CLIENT_ID }}"
-          ARM_SUBSCRIPTION_ID: "${{ secrets.TFC_AZURE_SUBSCRIPTION_ID }}"
-          ARM_TENANT_ID: "${{ secrets.TFC_AZURE_TENANT_ID }}"
+          ARM_CLIENT_ID: ${{ env.TFC_AZURE_CLIENT_ID }}
+          ARM_SUBSCRIPTION_ID: ${{ env.TFC_AZURE_SUBSCRIPTION_ID }}
+          ARM_TENANT_ID: ${{ env.TFC_AZURE_TENANT_ID }}
         run: make tf.destroy.azure
 
   # Final status update job

.github/workflows/e2e.yml

@@ -12,46 +12,9 @@ env:
   # Common versions
   KIND_VERSION: 'v0.30.0'
   KIND_IMAGE: 'kindest/node:v1.33.4'
-
-  # Common users. We can't run a step 'if secrets.GHCR_USERNAME != ""' but we can run
-  # a step 'if env.GHCR_USERNAME' != ""', so we copy these to succinctly test whether
-  # credentials have been provided before trying to run steps that need them.
   TARGET_SHA: ${{ github.event.client_payload.slash_command.args.named.sha }}
   GHCR_USERNAME: ${{ github.actor }}
-  GCP_SERVICE_ACCOUNT_KEY: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY}}
-  GCP_FED_REGION: ${{ secrets.GCP_FED_REGION}}
-  GCP_GSA_NAME: ${{ secrets.GCP_GSA_NAME}} # Google Service Account
-  GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME}} # Kubernetes Service Account
-  GCP_FED_PROJECT_ID: ${{ secrets.GCP_FED_PROJECT_ID}}
-
   AWS_REGION: "eu-central-1"
-  AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
-  AWS_SA_NAME: ${{ secrets.AWS_SA_NAME }}
-  AWS_SA_NAMESPACE: ${{ secrets.AWS_SA_NAMESPACE }}
-
-  TFC_AZURE_CLIENT_ID: ${{ secrets.TFC_AZURE_CLIENT_ID}}
-  TFC_AZURE_CLIENT_SECRET: ${{ secrets.TFC_AZURE_CLIENT_SECRET }}
-  TFC_AZURE_TENANT_ID: ${{ secrets.TFC_AZURE_TENANT_ID}}
-  TFC_AZURE_SUBSCRIPTION_ID: ${{ secrets.TFC_AZURE_SUBSCRIPTION_ID }}
-  TFC_VAULT_URL: ${{ secrets.TFC_VAULT_URL}}
-
-  SCALEWAY_API_URL: ${{ secrets.SCALEWAY_API_URL }}
-  SCALEWAY_REGION: ${{ secrets.SCALEWAY_REGION }}
-  SCALEWAY_PROJECT_ID: ${{ secrets.SCALEWAY_PROJECT_ID }}
-  SCALEWAY_ACCESS_KEY: ${{ secrets.SCALEWAY_ACCESS_KEY }}
-  SCALEWAY_SECRET_KEY: ${{ secrets.SCALEWAY_SECRET_KEY }}
-  DELINEA_TLD: ${{ secrets.DELINEA_TLD }}
-  DELINEA_URL_TEMPLATE: ${{ secrets.DELINEA_URL_TEMPLATE }}
-  DELINEA_TENANT: ${{ secrets.DELINEA_TENANT }}
-  DELINEA_CLIENT_ID: ${{ secrets.DELINEA_CLIENT_ID }}
-  DELINEA_CLIENT_SECRET: ${{ secrets.DELINEA_CLIENT_SECRET }}
-
-  SECRETSERVER_USERNAME: ${{ secrets.SECRETSERVER_USERNAME }}
-  SECRETSERVER_PASSWORD: ${{ secrets.SECRETSERVER_PASSWORD }}
-  SECRETSERVER_URL: ${{ secrets.SECRETSERVER_URL }}
-
-  GRAFANA_URL: ${{ secrets.GRAFANA_URL }}
-  GRAFANA_TOKEN: ${{ secrets.GRAFANA_TOKEN }}
 jobs:
 
   integration-trusted:
@@ -60,6 +23,35 @@ jobs:
       id-token: write #for oidc auth with aws/gcp/azure
       contents: read  #for checkout
     if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor !='dependabot[bot]'
+    env:
+      GCP_SERVICE_ACCOUNT_KEY: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
+      GCP_FED_REGION: ${{ secrets.GCP_FED_REGION }}
+      GCP_GSA_NAME: ${{ secrets.GCP_GSA_NAME }}
+      GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME }}
+      GCP_FED_PROJECT_ID: ${{ secrets.GCP_FED_PROJECT_ID }}
+      AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+      AWS_SA_NAME: ${{ secrets.AWS_SA_NAME }}
+      AWS_SA_NAMESPACE: ${{ secrets.AWS_SA_NAMESPACE }}
+      TFC_AZURE_CLIENT_ID: ${{ secrets.TFC_AZURE_CLIENT_ID }}
+      TFC_AZURE_CLIENT_SECRET: ${{ secrets.TFC_AZURE_CLIENT_SECRET }}
+      TFC_AZURE_TENANT_ID: ${{ secrets.TFC_AZURE_TENANT_ID }}
+      TFC_AZURE_SUBSCRIPTION_ID: ${{ secrets.TFC_AZURE_SUBSCRIPTION_ID }}
+      TFC_VAULT_URL: ${{ secrets.TFC_VAULT_URL }}
+      SCALEWAY_API_URL: ${{ secrets.SCALEWAY_API_URL }}
+      SCALEWAY_REGION: ${{ secrets.SCALEWAY_REGION }}
+      SCALEWAY_PROJECT_ID: ${{ secrets.SCALEWAY_PROJECT_ID }}
+      SCALEWAY_ACCESS_KEY: ${{ secrets.SCALEWAY_ACCESS_KEY }}
+      SCALEWAY_SECRET_KEY: ${{ secrets.SCALEWAY_SECRET_KEY }}
+      DELINEA_TLD: ${{ secrets.DELINEA_TLD }}
+      DELINEA_URL_TEMPLATE: ${{ secrets.DELINEA_URL_TEMPLATE }}
+      DELINEA_TENANT: ${{ secrets.DELINEA_TENANT }}
+      DELINEA_CLIENT_ID: ${{ secrets.DELINEA_CLIENT_ID }}
+      DELINEA_CLIENT_SECRET: ${{ secrets.DELINEA_CLIENT_SECRET }}
+      SECRETSERVER_USERNAME: ${{ secrets.SECRETSERVER_USERNAME }}
+      SECRETSERVER_PASSWORD: ${{ secrets.SECRETSERVER_PASSWORD }}
+      SECRETSERVER_URL: ${{ secrets.SECRETSERVER_URL }}
+      GRAFANA_URL: ${{ secrets.GRAFANA_URL }}
+      GRAFANA_TOKEN: ${{ secrets.GRAFANA_TOKEN }}
     steps:
     - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
       with:
@@ -67,6 +59,8 @@ jobs:
 
     - name: Branch based PR checkout
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
 
     - name: Fetch History
       run: git fetch --prune --unshallow
@@ -81,6 +75,35 @@ jobs:
       contents: read       #for checkout
       pull-requests: write # to publish the status as comments
     if: github.event_name == 'repository_dispatch'
+    env:
+      GCP_SERVICE_ACCOUNT_KEY: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
+      GCP_FED_REGION: ${{ secrets.GCP_FED_REGION }}
+      GCP_GSA_NAME: ${{ secrets.GCP_GSA_NAME }}
+      GCP_KSA_NAME: ${{ secrets.GCP_KSA_NAME }}
+      GCP_FED_PROJECT_ID: ${{ secrets.GCP_FED_PROJECT_ID }}
+      AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+      AWS_SA_NAME: ${{ secrets.AWS_SA_NAME }}
+      AWS_SA_NAMESPACE: ${{ secrets.AWS_SA_NAMESPACE }}
+      TFC_AZURE_CLIENT_ID: ${{ secrets.TFC_AZURE_CLIENT_ID }}
+      TFC_AZURE_CLIENT_SECRET: ${{ secrets.TFC_AZURE_CLIENT_SECRET }}
+      TFC_AZURE_TENANT_ID: ${{ secrets.TFC_AZURE_TENANT_ID }}
+      TFC_AZURE_SUBSCRIPTION_ID: ${{ secrets.TFC_AZURE_SUBSCRIPTION_ID }}
+      TFC_VAULT_URL: ${{ secrets.TFC_VAULT_URL }}
+      SCALEWAY_API_URL: ${{ secrets.SCALEWAY_API_URL }}
+      SCALEWAY_REGION: ${{ secrets.SCALEWAY_REGION }}
+      SCALEWAY_PROJECT_ID: ${{ secrets.SCALEWAY_PROJECT_ID }}
+      SCALEWAY_ACCESS_KEY: ${{ secrets.SCALEWAY_ACCESS_KEY }}
+      SCALEWAY_SECRET_KEY: ${{ secrets.SCALEWAY_SECRET_KEY }}
+      DELINEA_TLD: ${{ secrets.DELINEA_TLD }}
+      DELINEA_URL_TEMPLATE: ${{ secrets.DELINEA_URL_TEMPLATE }}
+      DELINEA_TENANT: ${{ secrets.DELINEA_TENANT }}
+      DELINEA_CLIENT_ID: ${{ secrets.DELINEA_CLIENT_ID }}
+      DELINEA_CLIENT_SECRET: ${{ secrets.DELINEA_CLIENT_SECRET }}
+      SECRETSERVER_USERNAME: ${{ secrets.SECRETSERVER_USERNAME }}
+      SECRETSERVER_PASSWORD: ${{ secrets.SECRETSERVER_PASSWORD }}
+      SECRETSERVER_URL: ${{ secrets.SECRETSERVER_URL }}
+      GRAFANA_URL: ${{ secrets.GRAFANA_URL }}
+      GRAFANA_TOKEN: ${{ secrets.GRAFANA_TOKEN }}
     steps:
     - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
       with:
@@ -91,6 +114,7 @@ jobs:
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         ref: '${{ env.TARGET_SHA }}'
+        persist-credentials: false
 
     - name: Fetch History
       run: git fetch --prune --unshallow
@@ -100,8 +124,10 @@ jobs:
     - id: create_token
       if: always()
       uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+      env:
+        APP_ID: ${{ secrets.APP_ID }}
       with:
-        app-id: ${{ secrets.APP_ID }}
+        app-id: ${{ env.APP_ID }}
         private-key: ${{ secrets.PRIVATE_KEY }}
         owner: ${{ github.repository_owner }}
 

.github/workflows/helm.yml

@@ -23,6 +23,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Generate chart
         run: |
@@ -78,6 +79,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Configure Git
         run: |

.github/workflows/lgtm.yml

@@ -19,18 +19,22 @@ jobs:
     steps:
     # Checkout repo to access CODEOWNERS.md
     - name: Checkout repository
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         sparse-checkout: |
           CODEOWNERS.md
+        persist-credentials: false
 
     # Generate a GitHub App installation access token
     - name: Generate token
       id: generate_token
       uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+      env:
+        LGTM_APP_ID: ${{ secrets.LGTM_APP_ID }}
+        LGTM_PRIVATE_KEY: ${{ secrets.LGTM_PRIVATE_KEY }}
       with:
-        app-id: ${{ secrets.LGTM_APP_ID }}
-        private-key: ${{ secrets.LGTM_PRIVATE_KEY }}
+        app-id: ${{ env.LGTM_APP_ID }}
+        private-key: ${{ env.LGTM_PRIVATE_KEY }}
         owner: ${{ github.repository_owner }}
 
     - name: Slash Command Dispatch

.github/workflows/ok-to-test-managed.yml

@@ -26,8 +26,10 @@ jobs:
     - name: Generate token
       id: generate_token
       uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+      env:
+        APP_ID: ${{ secrets.APP_ID }}
       with:
-        app-id: ${{ secrets.APP_ID }}
+        app-id: ${{ env.APP_ID }}
         private-key: ${{ secrets.PRIVATE_KEY }}
         owner: ${{ github.repository_owner }}
 

.github/workflows/ok-to-test.yml

@@ -26,8 +26,10 @@ jobs:
     - name: Generate token
       id: generate_token
       uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+      env:
+        APP_ID: ${{ secrets.APP_ID }}
       with:
-        app-id: ${{ secrets.APP_ID }}
+        app-id: ${{ env.APP_ID }}
         private-key: ${{ secrets.PRIVATE_KEY }}
         owner: ${{ github.repository_owner }}
 

.github/workflows/publish.yml

@@ -61,6 +61,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ inputs.ref }}
+          persist-credentials: false
 
       - name: Setup QEMU
         uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
@@ -163,6 +164,8 @@ jobs:
           egress-policy: audit
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Sign image
         if: env.IS_FORK != ''
         uses: ./.github/actions/sign

.github/workflows/pull-request-label.yml

@@ -112,10 +112,11 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           sparse-checkout: |
             .github/config/labeler.yml
+          persist-credentials: false
       - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v5
         with:
           configuration-path: .github/config/labeler.yml

.github/workflows/rebuild-image.yml

@@ -27,6 +27,7 @@ jobs:
         with:
           fetch-depth: 0
           ref: ${{ github.event.inputs.ref }}
+          persist-credentials: false
       - name: set timestamp output
         id: timestamp
         run: |

.github/workflows/release.yml

@@ -34,6 +34,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Resolve and validate ref
         id: resolve_ref
@@ -56,7 +57,9 @@ jobs:
           echo "sha=$RESOLVED_SHA" >> $GITHUB_OUTPUT
 
       - name: Checkout validated ref
-        run: git checkout ${{ steps.resolve_ref.outputs.sha }}
+        env:
+          RESOLVED_SHA: ${{ steps.resolve_ref.outputs.sha }}
+        run: git checkout "$RESOLVED_SHA"
 
       - name: Create Release
         uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
@@ -74,10 +77,11 @@ jobs:
       - name: Configure Git
         env:
           TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
         run: |
           git config user.name "$GITHUB_ACTOR"
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
-          git remote set-url origin "https://x-access-token:${{ env.TOKEN }}@github.com/${{ github.repository }}.git"
+          git remote set-url origin "https://x-access-token:${TOKEN}@github.com/${GH_REPO}.git"
 
       - name: Update Docs
         if: github.ref == 'refs/heads/main'
@@ -113,12 +117,14 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Setup Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         id: setup-go
         with:
           go-version-file: "go.mod"
+          cache: false
 
       - name: Download Go modules
         run: go mod download

.github/workflows/release_esoctl.yml

@@ -31,6 +31,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Resolve and validate ref
         id: resolve_ref
@@ -53,13 +54,16 @@ jobs:
           echo "sha=$RESOLVED_SHA" >> $GITHUB_OUTPUT
 
       - name: Checkout validated ref
-        run: git checkout ${{ steps.resolve_ref.outputs.sha }}
+        env:
+          RESOLVED_SHA: ${{ steps.resolve_ref.outputs.sha }}
+        run: git checkout "$RESOLVED_SHA"
 
       - name: Setup Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         id: setup-go
         with:
           go-version-file: "go.mod"
+          cache: false
 
       - name: Download Go modules
         run: go mod download
@@ -70,9 +74,12 @@ jobs:
       - name: Import GPG key
         id: import_gpg
         uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
         with:
-          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+          gpg_private_key: ${{ env.GPG_PRIVATE_KEY }}
+          passphrase: ${{ env.GPG_PASSPHRASE }}
 
       - name: Check if Tag Exists
         id: check_tag
@@ -84,6 +91,15 @@ jobs:
             exit 1
           fi
 
+      - name: Configure Git credentials
+        env:
+          TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+          git remote set-url origin "https://x-access-token:${TOKEN}@github.com/${GH_REPO}.git"
+
       - name: Create Tag if Not Exists
         if: success()
         env:

.github/workflows/update-deps.yml

@@ -28,6 +28,7 @@ jobs:
         with:
           fetch-depth: 0
           ref: ${{ github.event.inputs.ref }}
+          persist-credentials: false
       - name: set branches output
         id: branches
         run: echo "branches=[\"main\"]" >> $GITHUB_OUTPUT
@@ -50,8 +51,10 @@ jobs:
     - name: Generate token
       id: generate_token
       uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+      env:
+        APP_ID: ${{ secrets.APP_ID }}
       with:
-        app-id: ${{ secrets.APP_ID }}
+        app-id: ${{ env.APP_ID }}
         private-key: ${{ secrets.PRIVATE_KEY }}
         owner: ${{ github.repository_owner }}
 
@@ -60,6 +63,7 @@ jobs:
         token: ${{ steps.generate_token.outputs.token }}
         ref: ${{ matrix.branch }}
         fetch-depth: 0
+        persist-credentials: false
 
     - name: Setup Go
       uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -70,9 +74,11 @@ jobs:
       env:
         BASE_BRANCH: ${{ matrix.branch }}
         GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+        GH_REPO: ${{ github.repository }}
       run: |
         git config --global user.email "ExternalSecretsOperator@users.noreply.github.com"
         git config --global user.name "External Secrets Operator"
+        git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/${GH_REPO}.git"
         BRANCH=update-deps-$(date "+%s")
         make update-deps || true
         make check-diff || true