From 826aec92a22d918dee0d026edb6f82af16316ff3 Mon Sep 17 00:00:00 2001
From: Ryan Inch <mythologylover75@gmail.com>
Date: Sun, 28 Jun 2026 22:39:08 -0400
Subject: [PATCH] Apply Zizmor fixes to increase HcPkgPreReleaseGitops workflow
 security

What: prevents credentials from actions/checkout from persisting, and replaces direct use of the GitHub variables in the shell execution with indirect usage via shell variables.

Why: to help minimize the chance of the workflow being hacked.

According to Zizmor, filtering GitHub variables through environment variables prevents code injection via template expansion.  Essentially, this should ensure an attacker can't manipulate data in GitHub to achieve remote code execution when the workflow is run.
---
 .github/workflows/HcPkgPreReleaseGitops.yaml | 29 ++++++++++++--------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/HcPkgPreReleaseGitops.yaml b/.github/workflows/HcPkgPreReleaseGitops.yaml
index f5629e40..c556b06c 100644
--- a/.github/workflows/HcPkgPreReleaseGitops.yaml
+++ b/.github/workflows/HcPkgPreReleaseGitops.yaml
@@ -23,30 +23,35 @@ jobs:
       - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
         with:
           fetch-depth: 0
+          persist-credentials: false
       - run: |
          echo "Prep work"
-         git fetch origin  ${{inputs.releaseTrackingBranch}}
-         git fetch origin  ${{inputs.qatestBranch}}
+         git fetch origin  ${INPUTS_RELEASETRACKINGBRANCH}
+         git fetch origin  ${INPUTS_QATESTBRANCH}
          tag="hc.test.$(date '+%Y-%m-%d')"
          echo "$tag"
          
          echo "Point releaseTrackingBranch to current qa-test"
          git reset HEAD --hard 
-         git checkout ${{inputs.qaTestBranch}}
-         git pull origin ${{inputs.qaTestBranch}}
+         git checkout ${INPUTS_QATESTBRANCH}
+         git pull origin ${INPUTS_QATESTBRANCH}
          sha=$(git rev-parse  HEAD)
-         echo "${{inputs.qaTestBranch}} branch sha: $sha"
-         git checkout ${{inputs.releaseTrackingBranch}}
-         git update-ref 'refs/heads/${{inputs.releaseTrackingBranch}}' $sha 
-         git push origin ${{inputs.releaseTrackingBranch}} -f
+         echo "${INPUTS_QATESTBRANCH} branch sha: $sha"
+         git checkout ${INPUTS_RELEASETRACKINGBRANCH}
+         git update-ref 'refs/heads/${INPUTS_RELEASETRACKINGBRANCH}' $sha 
+         git push origin ${INPUTS_RELEASETRACKINGBRANCH} -f
 
          echo "Point qa-test branch to current master"
          git reset HEAD --hard
-         git checkout ${{inputs.main}} 
+         git checkout ${INPUTS_MAIN} 
          sha=$(git rev-parse  HEAD)
          echo "master branch sha: $sha"
-         git checkout ${{inputs.qatestBranch}}
-         git update-ref  'refs/heads/${{inputs.qatestBranch}}' $sha 
-         git push origin ${{inputs.qatestBranch}} -f 
+         git checkout ${INPUTS_QATESTBRANCH}
+         git update-ref  'refs/heads/${INPUTS_QATESTBRANCH}' $sha 
+         git push origin ${INPUTS_QATESTBRANCH} -f 
          git tag  $tag 
          git push origin $tag
+        env:
+          INPUTS_RELEASETRACKINGBRANCH: ${{inputs.releaseTrackingBranch}}
+          INPUTS_QATESTBRANCH: ${{inputs.qatestBranch}}
+          INPUTS_MAIN: ${{inputs.main}}