chore: Update SDK and fix security vulnerabilities

- Update privateer-sdk from v1.10.0 to v1.13.0 to include ToSARIF fixes
- Fix template injection vulnerabilities using context.payload instead of template strings
- Add repository and branch validation for workflow_run triggers
- All security validations ensure workflows only run from same repo and allowed branches

Author: Zohayb Bhatti

.github/workflows/build-binaries.yml

@@ -39,16 +39,39 @@ jobs:
             arch: amd64
             output: github-repo-windows-amd64.exe
     steps:
-      - name: Check if lint workflow passed
+      - name: Validate workflow_run security
         if: github.event_name == 'workflow_run'
         uses: actions/github-script@v7
         with:
           script: |
+            const workflowRun = context.payload.workflow_run;
+            
+            // Validate workflow_run is from the same repository (not a fork)
+            if (!workflowRun || workflowRun.repository.full_name !== context.repo.owner + '/' + context.repo.repo) {
+              core.setFailed('Security: workflow_run must be from the same repository');
+              return;
+            }
+            
+            // Validate head SHA format
+            const headSha = workflowRun.head_sha;
+            if (!headSha || !/^[a-f0-9]{40}$/i.test(headSha)) {
+              core.setFailed('Invalid head SHA format');
+              return;
+            }
+            
+            // Validate branch is allowed
+            const allowedBranches = ['main', 'develop'];
+            if (!allowedBranches.includes(workflowRun.head_branch)) {
+              core.setFailed(`Security: workflow_run from branch '${workflowRun.head_branch}' is not allowed. Allowed branches: ${allowedBranches.join(', ')}`);
+              return;
+            }
+            
+            // Check if lint workflow passed
             const { data: runs } = await github.rest.actions.listWorkflowRuns({
                 owner: context.repo.owner,
                 repo: context.repo.repo,
                 workflow_id: 'lint.yaml',
-                head_sha: '${{ github.event.workflow_run.head_sha }}',
+                head_sha: headSha,
                 per_page: 1
             });
             if (runs.workflow_runs.length > 0 && runs.workflow_runs[0].conclusion !== 'success') {

.github/workflows/docker-push.yml

@@ -25,16 +25,39 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event_name == 'workflow_dispatch' || (github.event.workflow_run.conclusion == 'success' && (github.event.workflow_run.head_branch == 'main' || github.event.workflow_run.head_branch == 'develop')) }}
     steps:
-      - name: Check if lint workflow passed
+      - name: Validate workflow_run security
         if: github.event_name == 'workflow_run'
         uses: actions/github-script@v7
         with:
           script: |
+            const workflowRun = context.payload.workflow_run;
+            
+            // Validate workflow_run is from the same repository (not a fork)
+            if (!workflowRun || workflowRun.repository.full_name !== context.repo.owner + '/' + context.repo.repo) {
+              core.setFailed('Security: workflow_run must be from the same repository');
+              return;
+            }
+            
+            // Validate head SHA format
+            const headSha = workflowRun.head_sha;
+            if (!headSha || !/^[a-f0-9]{40}$/i.test(headSha)) {
+              core.setFailed('Invalid head SHA format');
+              return;
+            }
+            
+            // Validate branch is allowed
+            const allowedBranches = ['main', 'develop'];
+            if (!allowedBranches.includes(workflowRun.head_branch)) {
+              core.setFailed(`Security: workflow_run from branch '${workflowRun.head_branch}' is not allowed. Allowed branches: ${allowedBranches.join(', ')}`);
+              return;
+            }
+            
+            // Check if lint workflow passed
             const { data: runs } = await github.rest.actions.listWorkflowRuns({
               owner: context.repo.owner,
               repo: context.repo.repo,
               workflow_id: 'lint.yaml',
-              head_sha: '${{ github.event.workflow_run.head_sha }}',
+              head_sha: headSha,
               per_page: 1
             });
             if (runs.workflow_runs.length > 0 && runs.workflow_runs[0].conclusion !== 'success') {

.github/workflows/integration-test.yml

@@ -21,6 +21,32 @@ jobs:
         runs-on: ubuntu-latest
         if: ${{ github.event_name == 'workflow_dispatch' || (github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.head_branch == 'main') }}
         steps:
+            - name: Validate workflow_run security
+              if: github.event_name == 'workflow_run'
+              uses: actions/github-script@v7
+              with:
+                  script: |
+                      const workflowRun = context.payload.workflow_run;
+                      
+                      // Validate workflow_run is from the same repository (not a fork)
+                      if (!workflowRun || workflowRun.repository.full_name !== context.repo.owner + '/' + context.repo.repo) {
+                        core.setFailed('Security: workflow_run must be from the same repository');
+                        return;
+                      }
+                      
+                      // Validate head SHA format
+                      const headSha = workflowRun.head_sha;
+                      if (!headSha || !/^[a-f0-9]{40}$/i.test(headSha)) {
+                        core.setFailed('Invalid head SHA format');
+                        return;
+                      }
+                      
+                      // Validate branch is allowed
+                      const allowedBranches = ['main'];
+                      if (!allowedBranches.includes(workflowRun.head_branch)) {
+                        core.setFailed(`Security: workflow_run from branch '${workflowRun.head_branch}' is not allowed. Allowed branches: ${allowedBranches.join(', ')}`);
+                        return;
+                      }
             - name: Checkout code
               uses: actions/checkout@v5
               with:

.github/workflows/security-scan.yml

@@ -19,16 +19,39 @@ jobs:
         runs-on: ubuntu-latest
         if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
         steps:
-            - name: Check if lint workflow passed
+            - name: Validate workflow_run security
               if: github.event_name == 'workflow_run'
               uses: actions/github-script@v7
               with:
                   script: |
+                      const workflowRun = context.payload.workflow_run;
+                      
+                      // Validate workflow_run is from the same repository (not a fork)
+                      if (!workflowRun || workflowRun.repository.full_name !== context.repo.owner + '/' + context.repo.repo) {
+                        core.setFailed('Security: workflow_run must be from the same repository');
+                        return;
+                      }
+                      
+                      // Validate head SHA format
+                      const headSha = workflowRun.head_sha;
+                      if (!headSha || !/^[a-f0-9]{40}$/i.test(headSha)) {
+                        core.setFailed('Invalid head SHA format');
+                        return;
+                      }
+                      
+                      // Validate branch is allowed
+                      const allowedBranches = ['main', 'develop'];
+                      if (!allowedBranches.includes(workflowRun.head_branch)) {
+                        core.setFailed(`Security: workflow_run from branch '${workflowRun.head_branch}' is not allowed. Allowed branches: ${allowedBranches.join(', ')}`);
+                        return;
+                      }
+                      
+                      // Check if lint workflow passed
                       const { data: runs } = await github.rest.actions.listWorkflowRuns({
                           owner: context.repo.owner,
                           repo: context.repo.repo,
                           workflow_id: 'lint.yaml',
-                          head_sha: '${{ github.event.workflow_run.head_sha }}',
+                          head_sha: headSha,
                           per_page: 1
                       });
                       if (runs.workflow_runs.length > 0 && runs.workflow_runs[0].conclusion !== 'success') {

go.mod

@@ -7,27 +7,45 @@ require (
 	github.com/migueleliasweb/go-github-mock v1.4.0
 	github.com/ossf/gemara v0.13.0
 	github.com/ossf/si-tooling/v2 v2.0.5-0.20250508212737-7ddcc8c43db9
-	github.com/privateerproj/privateer-sdk v1.10.0
+	github.com/privateerproj/privateer-sdk v1.13.0
 	github.com/rhysd/actionlint v1.7.8
 	github.com/shurcooL/githubv4 v0.0.0-20240727222349-48295856cce7
 	golang.org/x/oauth2 v0.32.0
 )
 
 require (
+	dario.cat/mergo v1.0.0 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/ProtonMail/go-crypto v1.1.6 // indirect
+	github.com/cloudflare/circl v1.6.1 // indirect
+	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/defenseunicorns/go-oscal v0.7.0 // indirect
+	github.com/emirpasic/gods v1.18.1 // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/go-git/go-billy/v5 v5.6.2 // indirect
+	github.com/go-git/go-git/v5 v5.16.3 // indirect
 	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/goccy/go-yaml v1.18.0 // indirect
+	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/google/go-github/v71 v71.0.0 // indirect
 	github.com/google/go-github/v73 v73.0.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/kevinburke/ssh_config v1.2.0 // indirect
+	github.com/pjbgf/sha1cd v0.3.2 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 // indirect
+	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
+	github.com/skeema/knownhosts v1.3.1 // indirect
+	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	go.yaml.in/yaml/v4 v4.0.0-rc.2 // indirect
+	golang.org/x/crypto v0.37.0 // indirect
 	golang.org/x/time v0.11.0 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
 )
 
 require (
@@ -58,7 +76,7 @@ require (
 	github.com/spf13/viper v1.21.0 // indirect
 	github.com/stretchr/testify v1.11.1
 	github.com/subosito/gotenv v1.6.0 // indirect
-	golang.org/x/net v0.38.0 // indirect
+	golang.org/x/net v0.39.0 // indirect
 	golang.org/x/sync v0.17.0 // indirect
 	golang.org/x/sys v0.36.0 // indirect
 	golang.org/x/text v0.28.0 // indirect