Skip to content

Workflow Security Hardening#506

Merged
vibhutikumar07 merged 11 commits into
repoHardeningfrom
workflowHardening
Jun 5, 2026
Merged

Workflow Security Hardening#506
vibhutikumar07 merged 11 commits into
repoHardeningfrom
workflowHardening

Conversation

@vibhutikumar07

Copy link
Copy Markdown
Contributor

Describe your changes

Changes Made to GitHub Actions Workflows (19 files):

  1. Environment Protection (environment: dev)
    Added environment: dev to every job across all workflows so secrets are served from a protected environment instead of repo-level, adding an extra access-control layer. Fork PRs will not receive secrets.

  2. Secrets moved from inline to env: blocks
    Replaced all ${{ secrets.X }} references inside shell commands with env: blocks. Values are now injected as environment variables instead of being baked into the process argument string (which is visible in process listings and audit logs).

  3. cf login banner suppressed (> /dev/null)
    The CF CLI prints org, space, user to stdout after every login. Appended > /dev/null to all cf login commands to suppress this banner. stderr is unaffected so login failures still surface as errors.

  4. set +x as first line of every sensitive step
    Ensures bash debug-trace mode is disabled before any secret variable is assigned, preventing values from being printed if debug mode is ever enabled.

  5. ::add-mask:: for all secret-holding variables
    Registered every secret-holding shell variable (CF credentials, XSUAA clientSecret/clientID fetched at runtime, test usernames/passwords) with GitHub's log scrubber. This ensures any accidental echo or error trace is redacted as *** in logs. Masks are placed as the very first lines of each run block — before any command that could reference those values.

Any documentation

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

Checklist before requesting a review

  • I follow Java Development Guidelines for SAP
  • I have tested the functionality on my cloud environment.
  • I have provided sufficient automated/ unit tests for the code.
  • I have increased or maintained the test coverage.
  • I have ran integration tests on my cloud environment.
  • I have validated blackduck portal for any vulnerability after my commit.

Upload Screenshots/lists of the scenarios tested

  • I have Uploaded Screenshots or added lists of the scenarios tested in description

vibhutikumar07 and others added 11 commits June 4, 2026 16:36
…rotection

Security changes applied to all 19 workflow files:

1. environment: dev — All jobs now pull secrets from the protected "dev"
   environment instead of repo-level secrets, adding an extra access
   control layer. Jobs with existing environment (maven-central) are
   kept as-is.

2. Secrets moved from inline ${{ secrets.X }} to env: blocks — Prevents
   secret values from appearing in the process argument list (visible via
   ps/audit logs). Shell commands now reference $ENV_VAR instead.

3. set +x in every sensitive step — Disables bash debug-trace mode before
   any secret variable is assigned, preventing accidental log exposure if
   debug mode is ever enabled upstream.

4. ::add-mask:: for all runtime-fetched and copied secret variables —
   Registers CF credentials, clientSecret/clientID (fetched from XSUAA
   at runtime), usernames and passwords with GitHub's log scrubber so
   any accidental echo or error trace is redacted as *** in logs.
Co-authored-by: Yashmeet . <yashmeet@sap.com>
@vibhutikumar07 vibhutikumar07 merged commit 7f9a1b4 into repoHardening Jun 5, 2026
1 check failed
@vibhutikumar07 vibhutikumar07 deleted the workflowHardening branch June 5, 2026 03:55
vibhutikumar07 added a commit that referenced this pull request Jun 5, 2026
…apps from SDM plugin (#504)

* Move leading app to SDM plugin & workflow files update to read these apps from SDM plugin

* remove .gitignore from leading apps and add mta.yaml back

* Update action.yml for new app path

* Workflow Security Hardening (#506)

* Harden GitHub Actions workflows — environment, secret masking & log protection

Security changes applied to all 19 workflow files:

1. environment: dev — All jobs now pull secrets from the protected "dev"
   environment instead of repo-level secrets, adding an extra access
   control layer. Jobs with existing environment (maven-central) are
   kept as-is.

2. Secrets moved from inline ${{ secrets.X }} to env: blocks — Prevents
   secret values from appearing in the process argument list (visible via
   ps/audit logs). Shell commands now reference $ENV_VAR instead.

3. set +x in every sensitive step — Disables bash debug-trace mode before
   any secret variable is assigned, preventing accidental log exposure if
   debug mode is ever enabled upstream.

4. ::add-mask:: for all runtime-fetched and copied secret variables —
   Registers CF credentials, clientSecret/clientID (fetched from XSUAA
   at runtime), usernames and passwords with GitHub's log scrubber so
   any accidental echo or error trace is redacted as *** in logs.

* Update pom.xml

* remove .gitignore from leading apps and add mta.yaml back (#505)

Co-authored-by: Yashmeet . <yashmeet@sap.com>

* Update multiTenancyDeployLocal.yml

* Update pom.xml

* modified workflow

* Added retry logic

* Added Retry logic

* modified workflow

* updated sdm version

* Updated sdm version in pom

---------

Co-authored-by: Yashmeet . <yashmeet@sap.com>

* Update blackduck.yml

* updated the workflow to use the pr environment & also added codeowner

* updated the workflow

* modified workflow

---------

Co-authored-by: vibhutikumar <160819926+vibhutikumar07@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant