ci: fix pre-existing zizmor security findings (template-injection, cache-poisoning, permissions)

[AskAlexSharov]

Background

PR #21127 added zizmor to the lint job. Running it revealed pre-existing security findings across many QA and CD workflow files. These are suppressed in .github/zizmor.yml for now so CI stays green; this issue tracks fixing them properly.

template-injection (code injection via template expansion)

${{ ... }} expressions used directly in run: blocks instead of going through env: vars. Most are github.ref, github.ref_name, runner.name, github.workspace (low risk — GitHub-controlled) but some are github.event.inputs.* (user-controlled, higher risk).

File	Lines
backups-dashboards.yml	107, 111
ci-cd-main-branch-docker-images.yml	56, 128
ci-gate.yml	110 (toJSON(needs) — false positive)
qa-clean-exit-block-downloading.yml	91
qa-clean-exit-snapshot-downloading.yml	99
qa-constrained-tip-tracking.yml	150
qa-rpc-integration-tests-clients.yml	96
qa-rpc-integration-tests-gnosis.yml	52, 54, 119, 162
qa-rpc-integration-tests-latest.yml	50, 52, 187, 242
qa-rpc-integration-tests-polygon.yml	181
qa-rpc-integration-tests-remote.yml	46, 48, 184, 259
qa-rpc-integration-tests.yml	52, 54, 120, 163
qa-rpc-performance-comparison-tests.yml	110, 112, 339, 408
qa-rpc-performance-tests.yml	101, 103, 317
qa-snap-download.yml	88
qa-stage-exec.yml	40, 42, 116
qa-sync-from-scratch-minimal-node.yml	91
qa-sync-from-scratch.yml	116, 197
qa-sync-with-externalcl.yml	108
qa-tip-tracking-gnosis.yml	33, 35, 153
qa-tip-tracking-with-load.yml	242
qa-tip-tracking.yml	33, 35, 153
qa-txpool-performance-test.yml	256

Fix: Route each expression through an env: block. Example:

env:
  REF_NAME: ${{ github.ref_name }}
run: |
  echo "Branch: $REF_NAME"

cache-poisoning (artipacked)

Docker-layer or artifact caching that could be poisoned:

File	Line
manifest.yml	40
qa-rpc-integration-tests-gnosis.yml	78
qa-rpc-integration-tests.yml	78
qa-sync-from-scratch.yml	148
test-kurtosis-assertoor.yml	83

excessive-permissions

• ci-gate.yml:33 — actions: write at workflow level (intentional: needed for merge-queue sibling cancellation)

Resolution

Once fixed, remove the corresponding entries from .github/zizmor.yml so zizmor enforces the rule going forward.

[AskAlexSharov]

Warning-level findings (added from CI run)

These were warning annotations (not errors) but suppressed in .github/zizmor.yml to keep CI output clean. Tracked here for future cleanup.

excessive-permissions — missing permissions: block

Affects nearly every workflow file. The fix is to add an explicit permissions: block with least-privilege settings to each workflow. Full list:
backups-dashboards.yml, cache-warming.yml, check-large-files.yml, ci-cd-main-branch-docker-images.yml, docker-image-remove.yml, docker-tags.yml, lint.yml, manifest.yml, qa-clean-exit-*, qa-constrained-tip-tracking.yml, qa-rpc-*, qa-snap-download.yml, qa-stage-exec.yml, qa-sync-*, qa-test-report.yml, qa-tip-tracking*.yml, qa-txpool-performance-test.yml, release.yml, reproducible-build.yml, sonar.yml, test-all-erigon*.yml, test-bench.yml, test-hive*.yml, test-integration-caplin.yml, test-kurtosis-assertoor.yml

Fix: Add to each workflow:

permissions:
  contents: read

(and other permissions as needed for that workflow)

credential-persistence — persist-credentials: false not set

Most actions/checkout steps leave credentials persisted after the checkout step, which means they remain available to subsequent steps and could be exfiltrated. Fix: add persist-credentials: false to checkout steps that don't need to push back to the repo.

Affects ~40 files (one finding per checkout step).

secrets-inherit — secrets: inherit in reusable workflow calls

cache-warming.yml and ci-gate.yml pass all secrets to child workflows via secrets: inherit. The flag is intentional but overly broad. Fix: enumerate only the specific secrets each child actually needs.

Additional template-injection (warning level)

File	Lines
docker-image-remove.yml	36
release.yml	594, 597, 601
test-all-erigon-race.yml	70

[VBulikov]

yperbasis added Imp2 as Importance