Harden CI/CD supply chain security across all workflows (#1328)

## Summary

Addresses critical, high, and medium findings from a comprehensive CI/CD
supply chain security audit.

### CRITICAL
- **`claude-code-review.yml`**: Fixed privilege escalation risk — was
checking out PR head branch ref (mutable) with `pull-requests: write` +
`issues: write` + `id-token: write`. Now checks out by commit SHA. Moved
all `github.event.*` expressions from inline `run:` steps to `env:`
blocks.

### HIGH
- **`dco-check.yml`**: Fixed script injection —
`github.event.pull_request.head.repo.full_name`, `.base.ref`,
`.base.sha`, `.head.sha` were injected directly into shell `run:` steps.
An attacker could craft a fork repo name with shell metacharacters. All
now passed via `env:` blocks.

### MEDIUM
- **All 22 workflows**: Added explicit `permissions:` blocks (15 were
missing, inheriting overly-broad repo defaults)
- **`updateVersion.yml`**: Moved `workflow_dispatch` inputs from inline
`${{ }}` to `env:` blocks
- **`slt.yml`**: Token now passed via `env:` block instead of inline in
`run:` command
- **`releaseFreeze.yml`**: Moved PR number to `env:` block, added
`permissions: contents: read`
- **`checkNextChangelog.yml`**: Moved PR number to `env:` block
- **Added `CODEOWNERS`**: Requires review for `.github/workflows/`
changes
- **Added `dependabot.yml`**: Automated monitoring for GitHub Actions
and Maven dependency updates

### Permissions Summary
| Permission | Workflows |
|---|---|
| `contents: read` | 18 workflows (tests, CI, checks) |
| `contents: write` | 3 workflows (release, release-thin, updateVersion)
|
| `issues: write, pull-requests: write` | 1 workflow (closeStale) |
| Scoped per-job | 2 workflows (claude, claude-code-review) |

NO_CHANGELOG=true

## Test plan
- [ ] Verify `dco-check` triggers correctly on a PR from a fork
- [ ] Verify `claude-code-review` still functions with SHA-based
checkout
- [ ] Verify `releaseFreeze` check passes on PRs
- [ ] Verify `checkNextChangelog` check passes on PRs
- [ ] Verify `closeStale` can still label/close issues and PRs
- [ ] Verify release workflows can still create GitHub releases
(`contents: write`)

This pull request was AI-assisted by Isaac.

---------

Signed-off-by: Gopal Lal <[email protected]>

Author: gopalldb

.github/CODEOWNERS

@@ -0,0 +1,3 @@
+# Require review for changes to GitHub Actions workflows and CI configuration
+.github/workflows/ @databricks/eng-oss-sql-driver
+.github/CODEOWNERS @databricks/eng-oss-sql-driver 

.github/dependabot.yml

@@ -0,0 +1,20 @@
+version: 2
+updates:
+  # Keep GitHub Actions up to date
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+      - "github-actions"
+
+  # Keep Maven dependencies up to date
+  - package-ecosystem: "maven"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+      - "maven"
+    open-pull-requests-limit: 10

.github/workflows/bugCatcher.yml

@@ -5,6 +5,9 @@ on:
     # Runs at 00:00 on every Monday
     - cron: '0 0 * * 1'
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     name: Build and Run Integration Tests

.github/workflows/checkNextChangelog.yml

@@ -24,13 +24,14 @@ jobs:
         id: changed-files
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
         run: |
           # Use the GitHub API to fetch changed files
-          files=$(gh pr view ${{ github.event.pull_request.number }} --json files -q '.files[].path')
-          
+          files=$(gh pr view "$PR_NUMBER" --json files -q '.files[].path')
+
           # Sanitize to avoid code injection
           sanitized_files=$(echo "$files" | sed 's/[^a-zA-Z0-9._/-]/_/g')
-          
+
           # Store the sanitized list of files in a temporary file to avoid env variable issues
           echo "$sanitized_files" > modified_files.txt
           echo "$sanitized_files"
@@ -39,13 +40,14 @@ jobs:
         id: pr-message
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
         run: |
           # Use the GitHub API to fetch the PR message
-          pr_message=$(gh pr view ${{ github.event.pull_request.number }} --json body -q '.body')
-          
+          pr_message=$(gh pr view "$PR_NUMBER" --json body -q '.body')
+
           # Sanitize the PR message to avoid code injection, keeping the equal sign
           sanitized_pr_message=$(echo "$pr_message" | sed 's/[^a-zA-Z0-9._/-=]/_/g')
-          
+
           # Store the sanitized PR message
           echo "$sanitized_pr_message" > pr_message.txt
           echo "$sanitized_pr_message"

.github/workflows/claude-code-review.yml

@@ -23,25 +23,31 @@ jobs:
 
     steps:
       - name: React to comment
-        run: |
-          gh api repos/${{ github.repository }}/issues/comments/${{ github.event.comment.id }}/reactions \
-            -f content=eyes
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
+          COMMENT_ID: ${{ github.event.comment.id }}
+        run: |
+          gh api "repos/${REPO}/issues/comments/${COMMENT_ID}/reactions" \
+            -f content=eyes
 
-      - name: Get PR head ref
+      - name: Get PR head SHA
         id: pr
-        run: |
-          PR_DATA=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.issue.number }})
-          echo "ref=$(echo "$PR_DATA" | jq -r .head.ref)" >> "$GITHUB_OUTPUT"
-          echo "number=$(echo "$PR_DATA" | jq -r .number)" >> "$GITHUB_OUTPUT"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
+          PR_NUMBER: ${{ github.event.issue.number }}
+        run: |
+          PR_DATA=$(gh api "repos/${REPO}/pulls/${PR_NUMBER}")
+          echo "sha=$(echo "$PR_DATA" | jq -r .head.sha)" >> "$GITHUB_OUTPUT"
+          echo "number=$(echo "$PR_DATA" | jq -r .number)" >> "$GITHUB_OUTPUT"
 
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
-          ref: ${{ steps.pr.outputs.ref }}
+          # Use the commit SHA instead of the branch ref to prevent
+          # the branch from being moved between the API call and checkout
+          ref: ${{ steps.pr.outputs.sha }}
           fetch-depth: 0
 
       - name: Run Claude Code Review

.github/workflows/closeStale.yml

@@ -3,6 +3,11 @@ on:
   schedule:
     # Run at 06:30 GMT everyday
     - cron: "30 6 * * *"
+
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   stale:
     runs-on:

.github/workflows/concurrencyExecutionTests.yml

@@ -14,6 +14,9 @@ on:
         required: false
         default: 'databricks/databricks-jdbc'
 
+permissions:
+  contents: read
+
 jobs:
   concurrency-tests:
     name: Run Concurrency Execution Tests

.github/workflows/dco-check.yml

@@ -5,6 +5,9 @@ on:
     types: [opened, synchronize, reopened]
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   dco-check:
     runs-on:
@@ -20,59 +23,65 @@ jobs:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
 
       - name: Add upstream remote (for forks)
+        env:
+          HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
+          BASE_REPO: ${{ github.repository }}
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
         run: |
           # Add the upstream repository as a remote if this is a fork
-          if [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then
+          if [ "$HEAD_REPO" != "$BASE_REPO" ]; then
             echo "This is a fork, adding upstream remote"
-            git remote add upstream https://github.com/${{ github.repository }}.git
-            git fetch upstream ${{ github.event.pull_request.base.ref }}
+            git remote add upstream "https://github.com/${BASE_REPO}.git"
+            git fetch upstream "$BASE_REF"
           else
             echo "This is not a fork, using origin"
           fi
 
       - name: Check DCO Sign-off
+        env:
+          HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
+          BASE_REPO: ${{ github.repository }}
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
         run: |
           #!/bin/bash
           set -e
-          
-          # Get the list of commits in this PR
-          BASE_SHA="${{ github.event.pull_request.base.sha }}"
-          HEAD_SHA="${{ github.event.pull_request.head.sha }}"
-          
+
           echo "Checking commits from $BASE_SHA to $HEAD_SHA"
-          
+
           # Verify that both commits exist
           if ! git cat-file -e "$BASE_SHA" 2>/dev/null; then
             echo "Error: Base commit $BASE_SHA not found"
             echo "Trying to fetch from upstream..."
-            if [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then
-              git fetch upstream ${{ github.event.pull_request.base.ref }}
+            if [ "$HEAD_REPO" != "$BASE_REPO" ]; then
+              git fetch upstream "$BASE_REF"
             else
-              git fetch origin ${{ github.event.pull_request.base.ref }}
+              git fetch origin "$BASE_REF"
             fi
           fi
-          
+
           if ! git cat-file -e "$HEAD_SHA" 2>/dev/null; then
             echo "Error: Head commit $HEAD_SHA not found"
             exit 1
           fi
-          
+
           # Get commit messages for all commits in the PR
           COMMITS=$(git rev-list --no-merges "$BASE_SHA..$HEAD_SHA")
-          
+
           if [ -z "$COMMITS" ]; then
             echo "No commits found in this PR"
             exit 0
           fi
-          
+
           FAILED_COMMITS=()
-          
+
           for commit in $COMMITS; do
             echo "Checking commit: $commit"
-            
+
             # Get the commit message
             COMMIT_MSG=$(git log --format=%B -n 1 "$commit")
-            
+
             # Check if the commit message contains "Signed-off-by:"
             if echo "$COMMIT_MSG" | grep -q "^Signed-off-by: "; then
               echo "✅ Commit $commit has DCO sign-off"
@@ -81,7 +90,7 @@ jobs:
               FAILED_COMMITS+=("$commit")
             fi
           done
-          
+
           if [ ${#FAILED_COMMITS[@]} -ne 0 ]; then
             echo ""
             echo "❌ DCO Check Failed!"

.github/workflows/loggingTesting.yml

@@ -11,6 +11,9 @@ on:
         required: false
         default: 'main'
 
+permissions:
+  contents: read
+
 jobs:
   test-logging:
     strategy:

.github/workflows/prCheck.yml

@@ -8,6 +8,9 @@ on:
     types: [opened, synchronize, reopened]
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   formatting-check:
     strategy: