From 0dbd29f675f892aef8aa6b0a72a5909da44a9c67 Mon Sep 17 00:00:00 2001
From: yotamelo <yotam.leopold@knostic.ai>
Date: Wed, 1 Apr 2026 11:53:28 +0200
Subject: [PATCH 1/2] fix(ci): [OPS-723] prevent script injection in workflow
 run: blocks

Move all ${{ }} expressions from run: blocks to env: blocks to prevent
potential shell injection in public repo CI. Replace fragile matrix.install
pattern with conditional steps.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml             | 15 ++++++++-------
 .github/workflows/gitleaks.yaml      |  9 +++++----
 .github/workflows/release-please.yml |  8 ++++++--
 .github/workflows/release.yml        |  2 +-
 4 files changed, 20 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 398abc4..6b498a0 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -10,11 +10,7 @@ jobs:
   build:
     strategy:
       matrix:
-        include:
-          - os: ubuntu-latest
-            install: sudo apt-get update && sudo apt-get install -y libpcap-dev
-          - os: macos-latest
-            install: brew install libpcap
+        os: [ubuntu-latest, macos-latest]
 
     runs-on: ${{ matrix.os }}
     steps:
@@ -25,8 +21,13 @@ jobs:
         with:
           go-version: "1.23"
 
-      - name: Install libpcap
-        run: ${{ matrix.install }}
+      - name: Install libpcap (Linux)
+        if: runner.os == 'Linux'
+        run: sudo apt-get update && sudo apt-get install -y libpcap-dev
+
+      - name: Install libpcap (macOS)
+        if: runner.os == 'macOS'
+        run: brew install libpcap
 
       - name: Run tests
         run: make test
diff --git a/.github/workflows/gitleaks.yaml b/.github/workflows/gitleaks.yaml
index 8f0992c..340564f 100644
--- a/.github/workflows/gitleaks.yaml
+++ b/.github/workflows/gitleaks.yaml
@@ -19,12 +19,13 @@ jobs:
           persist-credentials: false
       - name: Set scan range
         id: range
+        env:
+          EVENT: ${{ github.event_name }}
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          BEFORE_SHA: ${{ github.event.before }}
+          FORCED: ${{ github.event.forced }}
         run: |
           NULL_SHA="0000000000000000000000000000000000000000"
-          EVENT="${{ github.event_name }}"
-          BASE_SHA="${{ github.event.pull_request.base.sha }}"
-          BEFORE_SHA="${{ github.event.before }}"
-          FORCED="${{ github.event.forced }}"
           if [ "$EVENT" = "pull_request" ] && [ -n "$BASE_SHA" ]; then
             echo "log_opts=${BASE_SHA}..HEAD" >> $GITHUB_OUTPUT
           elif [ "$EVENT" = "push" ] && [ "$FORCED" \!= "true" ] && [ -n "$BEFORE_SHA" ] && [ "$BEFORE_SHA" \!= "$NULL_SHA" ]; then
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 2778c74..9016550 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -62,11 +62,15 @@ jobs:
           CGO_ENABLED: "1"
           GOOS: ${{ matrix.goos }}
           GOARCH: ${{ matrix.goarch }}
+          TAG_NAME: ${{ needs.release-please.outputs.tag_name }}
         run: |
           mkdir -p bin
-          go build -ldflags="-s -w -X main.version=${{ needs.release-please.outputs.tag_name }}" -o bin/agentsonar-${{ matrix.goos }}-${{ matrix.goarch }} ./cmd/agentsonar
+          go build -ldflags="-s -w -X main.version=$TAG_NAME" -o "bin/agentsonar-${GOOS}-${GOARCH}" ./cmd/agentsonar
 
       - name: Upload to release
         env:
           GH_TOKEN: ${{ github.token }}
-        run: gh release upload ${{ needs.release-please.outputs.tag_name }} bin/agentsonar-${{ matrix.goos }}-${{ matrix.goarch }}
+          TAG_NAME: ${{ needs.release-please.outputs.tag_name }}
+          GOOS: ${{ matrix.goos }}
+          GOARCH: ${{ matrix.goarch }}
+        run: gh release upload "$TAG_NAME" "bin/agentsonar-${GOOS}-${GOARCH}"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9f20c0b..eb77280 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -54,7 +54,7 @@ jobs:
           VERSION: ${{ github.event.release.tag_name || github.ref_name }}
         run: |
           mkdir -p bin
-          go build -ldflags="-s -w -X main.version=$VERSION" -o bin/agentsonar-${{ matrix.goos }}-${{ matrix.goarch }} ./cmd/agentsonar
+          go build -ldflags="-s -w -X main.version=$VERSION" -o "bin/agentsonar-${GOOS}-${GOARCH}" ./cmd/agentsonar
 
       - name: Upload artifact
         uses: actions/upload-artifact@v4

From 55bd73c76081dfeb81d37f48b8297d2fd289df66 Mon Sep 17 00:00:00 2001
From: yotamelo <yotam.leopold@knostic.ai>
Date: Wed, 1 Apr 2026 12:11:15 +0200
Subject: [PATCH 2/2] fix(ci): [OPS-723] restore matrix include to match
 required check names

Branch protection requires check names that include the install command
(e.g. "build (ubuntu-latest, sudo apt-get update ...)"). Keep the
include matrix for naming but use conditional steps instead of
${{ matrix.install }} for execution.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6b498a0..8084826 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -10,7 +10,11 @@ jobs:
   build:
     strategy:
       matrix:
-        os: [ubuntu-latest, macos-latest]
+        include:
+          - os: ubuntu-latest
+            install: sudo apt-get update && sudo apt-get install -y libpcap-dev
+          - os: macos-latest
+            install: brew install libpcap
 
     runs-on: ${{ matrix.os }}
     steps: