Harden workflow security by ltagliaferri · Pull Request #3175 · chainguard-dev/edu

ltagliaferri · 2026-04-06T17:05:08Z

Harden workflow security: use env vars, docker/login-action, and environment gate

Move all ${{ }} context values in run blocks to env variables to prevent shell injection
Replace echo | docker login with docker/login-action for secure credential handling
Add environment: documentation gate to compile-public-docs.yml
Switch GCS metadata generation from shell heredoc to Python json.dumps
Replace asset-swap release pattern in compile-docs.yml for immutable release compatibility
Remove persist-credentials: false from GCS workflow (needs git push)
Remove manual docker logout (handled by login-action post step)

Signed-off-by: ltagliaferri <lisa.tagliaferri@gmail.com>

netlify · 2026-04-06T17:05:17Z

Name	Link
🔨 Latest commit	`99246fd`
🔍 Latest deploy log	https://app.netlify.com/projects/ornate-narwhal-088216/deploys/69d3e7cb7e349a000835cd7d
😎 Deploy Preview	https://deploy-preview-3175--ornate-narwhal-088216.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Harden workflow security

99246fd

Signed-off-by: ltagliaferri <lisa.tagliaferri@gmail.com>

ltagliaferri requested a review from a team as a code owner April 6, 2026 17:05

ltagliaferri merged commit 3d731c4 into chainguard-dev:main Apr 6, 2026
5 of 6 checks passed

Provide feedback