From 9d93ac74d70e2da431af1c7bbd0ae15b734d24ee Mon Sep 17 00:00:00 2001 From: Waleed Latif Date: Mon, 13 Apr 2026 22:00:43 -0700 Subject: [PATCH 1/2] fix(ci): replace dynamic secret access with explicit secret references Resolves CodeQL "Excessive Secrets Exposure" warning by replacing secrets[matrix.ecr_repo_secret] with conditional expressions that reference only the specific secrets needed. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/ci.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e3c693e0dc..082de4b0f1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -88,6 +88,12 @@ jobs: - name: Set up Docker Buildx uses: useblacksmith/setup-docker-builder@v1 + - name: Resolve ECR repo name + id: ecr-repo + run: echo "name=$ECR_REPO" >> $GITHUB_OUTPUT + env: + ECR_REPO: ${{ matrix.ecr_repo_secret == 'ECR_APP' && secrets.ECR_APP || matrix.ecr_repo_secret == 'ECR_MIGRATIONS' && secrets.ECR_MIGRATIONS || secrets.ECR_REALTIME }} + - name: Build and push uses: useblacksmith/build-push-action@v2 with: @@ -95,7 +101,7 @@ jobs: file: ${{ matrix.dockerfile }} platforms: linux/amd64 push: true - tags: ${{ steps.login-ecr.outputs.registry }}/${{ secrets[matrix.ecr_repo_secret] }}:dev + tags: ${{ steps.login-ecr.outputs.registry }}/${{ steps.ecr-repo.outputs.name }}:dev provenance: false sbom: false @@ -159,7 +165,7 @@ jobs: id: meta run: | ECR_REGISTRY="${{ steps.login-ecr.outputs.registry }}" - ECR_REPO="${{ secrets[matrix.ecr_repo_secret] }}" + ECR_REPO="${{ matrix.ecr_repo_secret == 'ECR_APP' && secrets.ECR_APP || matrix.ecr_repo_secret == 'ECR_MIGRATIONS' && secrets.ECR_MIGRATIONS || secrets.ECR_REALTIME }}" GHCR_IMAGE="${{ matrix.ghcr_image }}" if [ "${{ github.ref }}" = "refs/heads/main" ]; then From 830454b52428b646be53c286dd2df87ff7e8a677 Mon Sep 17 00:00:00 2001 From: Waleed Latif Date: Mon, 13 Apr 2026 22:04:27 -0700 Subject: [PATCH 2/2] fix(ci): add explicit ECR_REALTIME guard and use env block for secret injection - Prevent silent fallthrough to ECR_REALTIME for unrecognized secret keys - Move build-amd64 secret resolution to env: block matching build-dev pattern --- .github/workflows/ci.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 082de4b0f1..4605c9227c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -92,7 +92,7 @@ jobs: id: ecr-repo run: echo "name=$ECR_REPO" >> $GITHUB_OUTPUT env: - ECR_REPO: ${{ matrix.ecr_repo_secret == 'ECR_APP' && secrets.ECR_APP || matrix.ecr_repo_secret == 'ECR_MIGRATIONS' && secrets.ECR_MIGRATIONS || secrets.ECR_REALTIME }} + ECR_REPO: ${{ matrix.ecr_repo_secret == 'ECR_APP' && secrets.ECR_APP || matrix.ecr_repo_secret == 'ECR_MIGRATIONS' && secrets.ECR_MIGRATIONS || matrix.ecr_repo_secret == 'ECR_REALTIME' && secrets.ECR_REALTIME || '' }} - name: Build and push uses: useblacksmith/build-push-action@v2 @@ -161,11 +161,17 @@ jobs: - name: Set up Docker Buildx uses: useblacksmith/setup-docker-builder@v1 + - name: Resolve ECR repo name + id: ecr-repo + run: echo "name=$ECR_REPO" >> $GITHUB_OUTPUT + env: + ECR_REPO: ${{ matrix.ecr_repo_secret == 'ECR_APP' && secrets.ECR_APP || matrix.ecr_repo_secret == 'ECR_MIGRATIONS' && secrets.ECR_MIGRATIONS || matrix.ecr_repo_secret == 'ECR_REALTIME' && secrets.ECR_REALTIME || '' }} + - name: Generate tags id: meta run: | ECR_REGISTRY="${{ steps.login-ecr.outputs.registry }}" - ECR_REPO="${{ matrix.ecr_repo_secret == 'ECR_APP' && secrets.ECR_APP || matrix.ecr_repo_secret == 'ECR_MIGRATIONS' && secrets.ECR_MIGRATIONS || secrets.ECR_REALTIME }}" + ECR_REPO="${{ steps.ecr-repo.outputs.name }}" GHCR_IMAGE="${{ matrix.ghcr_image }}" if [ "${{ github.ref }}" = "refs/heads/main" ]; then