feat:add gh workflow

[jordan-dr]

No description provided.

[dryrunsecurity]

🔴 Risk threshold exceeded.

This pull request contains multiple critical security vulnerabilities, including hardcoded PostgreSQL credentials, exposed AWS secret keys in workflow logs, potential command injection through unvalidated tag input, and the use of GitHub Actions without pinned commit hashes, which could lead to supply chain attacks.

✨ Code Policies (3)

Policy	hardcoded-creds
Result	Yes, the change includes hard-coded credentials in the postgres service configuration within the test job. Specifically, it contains hard-coded values for POSTGRES_USER: 'postgres' and POSTGRES_PASSWORD: 'postgres', as well as these same credentials in the DATABASE_URL environment variable. Guidance: refer issues to the security team

Policy

GitHub Actions Security Policy

Result

Yes, this GitHub Actions workflow has multiple security issues: 1. Line 83: Direct exposure of AWS secret via echo command: echo "AWS secret key is ${{ secrets.AWS_SECRET_ACCESS_KEY }}" 2. Lines 85-87: Command injection vulnerability via unsanitized tag input: git checkout ${{ github.event.inputs.tag }} The workflow_dispatch input 'tag' is used directly in a git command without validation 3. Multiple third-party actions used without pinned commit hashes: - Line 29: actions/checkout@v4 - Line 32: ruby/setup-ruby@v1 - Line 71: actions/cache@v3 - Line 142: slackapi/slack-github-action@v1 Using version tags instead of commit hashes allows for potential supply chain attacks if the action is compromised 4. Line 41: Checkout of private repo using GH_TOKEN secret: While not inherently unsafe, the token permissions should be restricted to minimum required access

Policy	test-check
Result	Yes, there is a concerning logging issue in the GitHub workflow file. On line 85, there is an explicit logging of an AWS secret access key using 'echo "AWS secret key is ${{ secrets.AWS_SECRET_ACCESS_KEY }}"'. This logs a sensitive credential directly to the workflow logs, which is a serious security risk as it could expose AWS access credentials. Guidance: bad code

💭 Unconfirmed Findings (2)

Vulnerability	Potential Command Injection via Unvalidated Tag Input
Description	A security vulnerability in the GitHub Actions workflow where user-provided tag input can be used to inject arbitrary commands or checkout unintended branches/commits. Located in .github/workflows/main.yaml, this poses a significant risk of command injection due to lack of proper input validation.

Vulnerability	Secret Exposure in Workflow Logs
Description	A critical security issue where sensitive AWS credentials are explicitly printed to GitHub Actions logs, potentially exposing confidential authentication information to unauthorized parties. This vulnerability is located in .github/workflows/main.yaml and could lead to unauthorized access to AWS resources.

---

All finding details can be found in the DryRun Security Dashboard.