chore: Harden Github Actions configuration

.github/actions/get-changelog/action.yml

@@ -4,5 +4,5 @@ outputs:
   changelog:
     description: 'The current changelog'
 runs:
-  using: 'node16'
+  using: 'node24'
   main: 'index.js'

.github/actions/setup/action.yml

@@ -77,8 +77,9 @@ runs:
       if: ${{ inputs.skip-install == 'false' }}
       env:
         NODE_AUTH_TOKEN: ${{ inputs.registry-token }}
+        INPUTS_PNPM_INSTALL_ARGS: ${{ inputs.pnpm-install-args }}
       shell: bash
-      run: pnpm install --ignore-scripts ${{ inputs.pnpm-install-args }}
+      run: pnpm install --ignore-scripts ${INPUTS_PNPM_INSTALL_ARGS}
     - name: Run lifecycle scripts
       if: ${{ inputs.skip-install == 'false' && inputs.skip-build == 'false' }}
       shell: bash

.github/workflows/api-docs.yml

@@ -42,20 +42,21 @@ jobs:
           GIT_USER: cloud-sdk-js
           BOT_EMAIL: ${{ vars.SAP_CLOUD_SDK_BOT_EMAIL }}
           BOT_NAME: ${{ vars.SAP_CLOUD_SDK_BOT_NAME }}
+          FULL_VERSION: ${{ inputs.version }}
         run: |
           gh auth setup-git
           git config user.email "$BOT_EMAIL"
           git config user.name "$BOT_NAME"
 
           # Extract major version from input (e.g., v4.5.0 -> v4)
-          FULL_VERSION="${{ inputs.version }}"
-          MAJOR_VERSION=$(echo $FULL_VERSION | sed 's/\(v[0-9]*\).*/\1/')
+          # shellcheck disable=SC2001
+          MAJOR_VERSION=$(echo "$FULL_VERSION" | sed 's/\(v[0-9]*\).*/\1/')
 
           cd ..
           git clone --depth 1 https://github.com/SAP/cloud-sdk.git
 
           # Copy generated docs to versioned folder
-          rsync -avz --delete cloud-sdk-js/knowledge-base/api-reference/ cloud-sdk/static/api/${MAJOR_VERSION}/
+          rsync -avz --delete cloud-sdk-js/knowledge-base/api-reference/ "cloud-sdk/static/api/${MAJOR_VERSION}/"
 
           cd cloud-sdk
           git add -A

.github/workflows/auto-dependabot-fix.yml

@@ -5,7 +5,7 @@ on:
 
 jobs:
   building:
-    if: github.actor == 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
+    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
     runs-on: ubuntu-latest
     steps:
       - id: app-token
@@ -27,7 +27,7 @@ jobs:
           BOT_EMAIL: ${{ vars.SAP_CLOUD_SDK_BOT_EMAIL }}
           BOT_NAME: ${{ vars.SAP_CLOUD_SDK_BOT_NAME }}
         run: |
-          diff=`git diff`
+          diff=$(git diff)
           if [ ! -z "$diff" ]; then
             git config --global user.email "$BOT_EMAIL"
             git config --global user.name "$BOT_NAME"

.github/workflows/auto-lint.yml

@@ -5,7 +5,7 @@ on:
 
 jobs:
   linting:
-    if: github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
+    if: github.actor != 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
     runs-on: ubuntu-latest
     steps:
       - id: app-token
@@ -29,7 +29,7 @@ jobs:
           BOT_EMAIL: ${{ vars.SAP_CLOUD_SDK_BOT_EMAIL }}
           BOT_NAME: ${{ vars.SAP_CLOUD_SDK_BOT_NAME }}
         run: |
-          diff=`git diff`
+          diff=$(git diff)
           if [ ! -z "$diff" ]; then
             git config --global user.email "$BOT_EMAIL"
             git config --global user.name "$BOT_NAME"

.github/workflows/blackduck.yml

@@ -14,7 +14,7 @@ jobs:
         with:
           registry-token: ${{ secrets.NPM_TOKEN_ARTIFACTORY }}
       - run: sudo apt-get install jq
-      - run: echo "project_version=$(cat package.json | jq '.version' | tr -d '"')" >> $GITHUB_ENV
+      - run: echo "project_version=$(cat package.json | jq '.version' | tr -d '"')" >> "$GITHUB_ENV"
       - name: Blackduck Scan
         env:
           PIPER_token: ${{ secrets.BLACKDUCK_TOKEN }}

.github/workflows/build.yml

@@ -107,7 +107,7 @@ jobs:
 
   dependabot:
     runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'pull_request' }}
+    if: ${{ github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name }}
     needs: [tests, checks, e2e-tests]
     permissions:
       pull-requests: write
@@ -148,15 +148,15 @@ jobs:
         run: |
           lastCommitDate=$(git --no-pager log -n 1 "$REF_NAME" --pretty=format:"%at")
           curDate=$(date +%s)
-          dateDiff=$(expr $curDate - $lastCommitDate)
-          echo $lastCommitDate, $curDate, $dateDiff
+          dateDiff=$(( curDate - lastCommitDate ))
+          echo "$lastCommitDate, $curDate, $dateDiff"
 
           if [[ $dateDiff -gt 86400 ]]
           then
               echo "No new commit found on $REF within the last 24 hrs."
-              echo "skip-release=true" >> $GITHUB_OUTPUT
+              echo "skip-release=true" >> "$GITHUB_OUTPUT"
           else
-              echo "skip-release=false" >> $GITHUB_OUTPUT
+              echo "skip-release=false" >> "$GITHUB_OUTPUT"
           fi
 
   canary-release:
@@ -177,10 +177,10 @@ jobs:
           package-manager-cache: false
       - name: Canary Release
         run: |
-          date=`date +%Y%m%d%H%M%S`
+          date=$(date +%Y%m%d%H%M%S)
           rm -f .changeset/*.md
           cp canary-release-changeset.md .changeset
-          pnpm changeset pre enter ${date}
+          pnpm changeset pre enter "${date}"
           pnpm changeset version
           pnpm changeset pre exit
           pnpm changeset publish --tag canary
@@ -201,8 +201,8 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           CHANGELOG: ${{ steps.get-changelog.outputs.changelog }}
         run: |
-          gh release create "${{ github.ref_name }}" \
-            --title "${{ github.ref_name }}" \
+          gh release create "${GITHUB_REF_NAME}" \
+            --title "${GITHUB_REF_NAME}" \
             --verify-tag \
             --notes "$CHANGELOG" \
             --draft

.github/workflows/check-pr.yml

@@ -12,6 +12,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Collect changed files
         id: changed-files
         uses: step-security/changed-files@2e07db73e5ccdb319b9a6c7766bd46d39d304bad # v47.0.5

.github/workflows/codeql-analysis.yml

@@ -35,6 +35,7 @@ jobs:
           # We must fetch at least the immediate parents so that if this is
           # a pull request then we can checkout the head.
           fetch-depth: 2
+          persist-credentials: false
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

.github/workflows/fosstars-report.yml

@@ -12,6 +12,8 @@ jobs:
       contents: write
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - uses: SAP/fosstars-rating-core-action@daf10c3920b53405f6013ee987e7015525fdec30 # v1.14.0
         with:
           report-branch: fosstars-report

.github/workflows/gha-security-scan.yaml

@@ -0,0 +1,26 @@
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:
+  push:
+    branches: ['main']
+  pull_request:
+    branches: ['**']
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor 🌈
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
+      contents: read # Only needed for private repos. Needed to clone the repo.
+      actions: read # Only needed for private repos. Needed for upload-sarif to read workflow run info.
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3

.github/workflows/memory-tests.yml

@@ -31,7 +31,7 @@ jobs:
       - working-directory: test-packages/memory-tests/sdk-canary/
         run: node --inspect test-script.js && cat result.txt
       - name: compare v2 and canary
-        run: pnpm exec ts-node scripts/compare-memory-usage.ts $(cat ./test-packages/memory-tests/sdk-v2/result.txt) $(cat ./test-packages/memory-tests/sdk-canary/result.txt)
+        run: pnpm exec ts-node scripts/compare-memory-usage.ts "$(cat ./test-packages/memory-tests/sdk-v2/result.txt)" "$(cat ./test-packages/memory-tests/sdk-canary/result.txt)"
       - name: Slack Notify
         if: failure() || cancelled()
         env:

.github/workflows/release.yml

@@ -39,6 +39,7 @@ jobs:
           token: ${{ steps.app-token.outputs.token }}
           fetch-depth: 0 # otherwise, there would be errors pushing refs to the destination repository.
           path: ./cloud-sdk
+          persist-credentials: true
       - name: Update release notes
         run: |
           npx ts-node -e "import { addCurrentChangelog } from './scripts/add-changelog'; addCurrentChangelog()"

.github/zizmor.yml

@@ -0,0 +1,21 @@
+rules:
+  # already following SAP policies
+  dependabot-cooldown:
+    disable: true
+  # requires more effort to fix
+  secrets-inherit:
+    ignore:
+     - bump.yml
+     - release-entry.yml
+  # requires more effort to fix
+  excessive-permissions:
+    disable: true
+  dangerous-triggers:
+    ignore:
+      - auto-dependabot-fix.yml
+  # allow unpinned references to own repositories
+  unpinned-uses:
+    config:
+      policies:
+        'sap/ai-sdk-js/*': any
+        'sap/cloud-sdk-js/*': any