Security: Move permissions to job level and prevent script injection

- Move permissions from global to job level for both workflows
- Replace direct GitHub context usage with environment variables
- Prevent script injection attacks in GitHub Actions scripts
- Follow GitHub security best practices for workflow design

REF: GitHub security recommendations for workflow permissions and injection prevention

Author: prince-deriv

.github/workflows/ai-code-analysis.yml

@@ -24,21 +24,27 @@ on:
         description: 'Personal access token for user verification'
         required: true
 
-permissions:
-  contents: read
-  pull-requests: write
-  issues: write
-
 jobs:
   analyze-ai-code:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
     env:
-      # Security: Move GitHub context to environment variables to prevent injection
       PR_USER_LOGIN: ${{ github.event.pull_request.user.login }}
       PR_HEAD_SHA: ${{ inputs.target_ref || github.event.pull_request.head.sha }}
       PR_BASE_REF: ${{ inputs.base_ref || github.event.pull_request.base.ref }}
       GITHUB_TOKEN_INPUT: ${{ inputs.github_token || github.token }}
       PAT_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
+      GITHUB_REPOSITORY: ${{ github.repository }}
+      GITHUB_EVENT_NAME: ${{ github.event_name }}
+      PR_MERGED_AT: ${{ github.event.pull_request.merged_at }}
+      PR_HEAD_REF: ${{ github.event.pull_request.head.ref }}
+      PR_USER_TYPE: ${{ github.event.pull_request.user.type }}
+      ISSUE_NUMBER: ${{ github.event.number }}
+      REPO_OWNER: ${{ github.repository_owner }}
+      REPO_NAME: ${{ github.event.repository.name }}
 
     steps:
       - name: Verify user
@@ -231,6 +237,14 @@ jobs:
           script: |
             const fs = require('fs');
             
+         
+            const repository = process.env.GITHUB_REPOSITORY;
+            const eventName = process.env.GITHUB_EVENT_NAME;
+            const prMergedAt = process.env.PR_MERGED_AT;
+            const prHeadRef = process.env.PR_HEAD_REF;
+            const prUserLogin = process.env.PR_USER_LOGIN;
+            const issueNumber = process.env.ISSUE_NUMBER;
+            
             // Read analysis results
             const results = JSON.parse(fs.readFileSync('ai_analysis_results.json', 'utf8'));
 
@@ -364,10 +378,10 @@ jobs:
               comment += `<details>\n<summary>📊 Raw Data (for dashboard)</summary>\n\n\`\`\`json\n`;
               comment += JSON.stringify({
                 timestamp: new Date().toISOString(),
-                repository: context.repo.full_name,
-                pullRequest: context.issue.number,
-                branch: context.payload.pull_request.head.ref,
-                author: context.payload.pull_request.user.login,
+                repository: repository,
+                pullRequest: issueNumber,
+                branch: prHeadRef,
+                author: prUserLogin,
                 ...results
               }, null, 2);
               comment += `\n\`\`\`\n\n</details>\n\n`;

.github/workflows/ai-dashboard.yml

@@ -24,16 +24,16 @@ on:
         description: 'ShiftAI token for auto-merge operations'
         required: false
 
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   ai-dashboard-update:
     # Only run if PR was actually merged (or manual/schedule trigger)
     if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' || github.event_name == 'workflow_call'
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     env:
+      # Security: Move GitHub context to environment variables to prevent injection
       PR_TITLE: ${{ github.event.pull_request.title || inputs.pr_title || 'Manual/Scheduled Run' }}
       PR_HEAD_REF: ${{ github.event.pull_request.head.ref || 'manual' }}
       PR_AUTHOR: ${{ github.event.pull_request.user.login || 'system' }}
@@ -42,6 +42,9 @@ jobs:
       TARGET_BRANCH: ${{ inputs.target_branch || github.event.repository.default_branch || 'master' }}
       GITHUB_TOKEN_INPUT: ${{ github.token }}
       SHIFTAI_TOKEN_INPUT: ${{ secrets.SHIFTAI_TOKEN }}
+      GITHUB_REPOSITORY: ${{ github.repository }}
+      GITHUB_EVENT_NAME: ${{ github.event_name }}
+      PR_MERGED_AT: ${{ github.event.pull_request.merged_at }}
 
     steps:
       - name: Check if this is a dashboard update PR (prevent loops)
@@ -469,17 +472,17 @@ jobs:
           # Add the preserved changes
           git add .github/data/ai-analysis-history.json AI-DASHBOARD.md
           
-          # Commit changes
+          # Commit changes - using environment variables to prevent injection
           if [[ "$PR_NUMBER" == "manual" ]]; then
             COMMIT_MSG="📊 Manual Dashboard Update
             
             - Updated: $(date -u +"%Y-%m-%d %H:%M UTC")
-            - Trigger: ${{ github.event_name }}
+            - Trigger: $GITHUB_EVENT_NAME
             - Manual dashboard refresh"
           else
             COMMIT_MSG="📊 Track merged PR #$PR_NUMBER: $PR_TITLE
             
-            - Merged: ${{ github.event.pull_request.merged_at }}
+            - Merged: $PR_MERGED_AT
             - Author: $PR_AUTHOR
             - Updated dashboard with historical data"
           fi
@@ -503,6 +506,7 @@ jobs:
             const prTitle = process.env.PR_TITLE;
             const prAuthor = process.env.PR_AUTHOR;
             const targetBranch = process.env.TARGET_BRANCH;
+            const eventName = process.env.GITHUB_EVENT_NAME;
             const { owner, repo } = context.repo;
             
             console.log('Environment check:');
@@ -545,7 +549,7 @@ jobs:
                   '- Historical data file (if any new data available)',
                   '',
                   '### 🔄 Update Details:',
-                  '- **Trigger**: ' + context.eventName,
+                  '- **Trigger**: ' + eventName,
                   '- **Updated**: ' + new Date().toISOString(),
                   '',
                   '---',
@@ -616,11 +620,14 @@ jobs:
       - name: Auto-merge Dashboard PR
         if: steps.check-skip.outputs.should-skip == 'false' && steps.create-pr.outputs.dashboard-pr-number && (github.event_name == 'pull_request_target' || github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' || github.event_name == 'workflow_call')
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        env:
+          DASHBOARD_PR_NUMBER: ${{ steps.create-pr.outputs.dashboard-pr-number }}
         with:
           github-token: ${{ env.SHIFTAI_TOKEN_INPUT || env.GITHUB_TOKEN_INPUT }}
           script: |
-            const dashboardPrNumber = '${{ steps.create-pr.outputs.dashboard-pr-number }}';
+            const dashboardPrNumber = process.env.DASHBOARD_PR_NUMBER;
             const shiftaiToken = process.env.SHIFTAI_TOKEN_INPUT;
+            const targetBranch = process.env.TARGET_BRANCH;
             const { owner, repo } = context.repo;
             
             if (!shiftaiToken) {
@@ -698,7 +705,6 @@ jobs:
               }
               
               // SECURITY CHECK 5: Validate base branch
-              const targetBranch = process.env.TARGET_BRANCH || 'master';
               if (prData.base.ref !== targetBranch) {
                 console.log('❌ SECURITY: PR base is not target branch - aborting force merge');
                 console.log('   Base branch:', prData.base.ref);
@@ -733,7 +739,7 @@ jobs:
               console.log('🔒 Confirmed: This is a legitimate dashboard PR created by GitHub Actions');
               
               // SECURITY CHECK 7: Validate workflow trigger event
-              const currentEvent = context.eventName;
+              const currentEvent = process.env.GITHUB_EVENT_NAME;
               const allowedTriggers = ['pull_request_target', 'workflow_dispatch', 'schedule', 'workflow_call'];
               
               if (!allowedTriggers.includes(currentEvent)) {
@@ -783,7 +789,7 @@ jobs:
           if [[ "$PR_NUMBER" != "manual" ]]; then
             echo "✅ Tracked PR #$PR_NUMBER: $PR_TITLE"
             echo "👤 Author: $PR_AUTHOR"
-            echo "🕐 Merged: ${{ github.event.pull_request.merged_at }}"
+            echo "🕐 Merged: $PR_MERGED_AT"
           else
             echo "🔄 Manual/scheduled dashboard refresh"
           fi
@@ -798,7 +804,7 @@ jobs:
             echo "   • ⏳ Waiting for manual review and merge"
           fi
           echo ""
-          echo "🔗 View dashboard: https://github.com/${{ github.repository }}/blob/$TARGET_BRANCH/AI-DASHBOARD.md"
+          echo "🔗 View dashboard: https://github.com/$GITHUB_REPOSITORY/blob/$TARGET_BRANCH/AI-DASHBOARD.md"
 
       - name: Skip notification
         if: steps.check-skip.outputs.should-skip == 'true'