harden bump-version workflow

- validate dbt-package-version via env var, fail-closed on invalid input
- flow validated version through env vars to all downstream run: steps
- SHA-pin repo-sync/pull-request@v2
- deny GITHUB_TOKEN by default, grant minimum per job

Made-with: Cursor

Author: GuyEshdat

.github/workflows/bump-version.yml

@@ -13,58 +13,66 @@ on:
         type: string
         required: true
 
+permissions: {}
+
 jobs:
   validate-version:
     runs-on: ubuntu-latest
+    permissions: {}
     outputs:
-      validated-dbt-package-version: ${{ steps.validate-dbt-package-input.outputs.dbt-package-validation }}
+      version: ${{ steps.validate.outputs.version }}
     steps:
-      - name: validate dbt package version
-        id: validate-dbt-package-input
-        run: echo "dbt-package-validation=$(echo ${{ inputs.dbt-package-version }} | sed -n '/^[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$/p')" >> $GITHUB_OUTPUT
-      - name: echo versions
+      - name: Validate dbt package version
+        id: validate
+        env:
+          VERSION: ${{ inputs.dbt-package-version }}
         run: |
-          echo "dbt package version: ${{ steps.validate-dbt-package-input.outputs.dbt-package-validation }}"
-      - name: fail on invalid input
-        if: ${{ steps.validate-dbt-package-input.outputs.dbt-package-validation == '' }}
-        uses: actions/github-script@v8
-        with:
-          script: |
-            core.setFailed("Invalid version input - ${{ inputs.dbt-package-version }}")
+          if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            echo "::error::Invalid version: $VERSION"
+            exit 1
+          fi
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
 
   bump-version:
     needs: validate-version
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    env:
+      VERSION: ${{ needs.validate-version.outputs.version }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
       - name: Create release branch
-        run: git checkout -b release/${{ inputs.dbt-package-version }}
+        run: git checkout -b "release/$VERSION"
       - name: Initial config
         run: |
           git config user.name "GitHub Actions"
           git config user.email noreply@github.com
       - name: Bump package version
         run: |
-          sed -i 's/version: "[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*"$/version: "${{ inputs.dbt-package-version }}"/' ./dbt_project.yml
+          sed -i 's/version: "[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*"$/version: "'"$VERSION"'"/' ./dbt_project.yml
       - name: Bump readme package version
         run: |
-          sed -i 's/version: [0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$/version: ${{ inputs.dbt-package-version }}/' ./README.md
+          sed -i 's/version: [0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$/version: '"$VERSION"'/' ./README.md
       - name: Commit changes
-        run: git commit -am "release ${{ inputs.dbt-package-version }}"
+        run: git commit -am "release $VERSION"
       - name: Push code
-        run: git push origin release/${{ inputs.dbt-package-version }}
+        run: git push origin "release/$VERSION"
 
   create-pr:
-    needs: bump-version
+    needs: [validate-version, bump-version]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - uses: actions/checkout@v6
       - name: create pull request
-        uses: repo-sync/pull-request@v2
+        uses: repo-sync/pull-request@7e79a9f5dc3ad0ce53138f01df2fad14a04831c5 # v2
         with:
-          source_branch: "release/${{ inputs.dbt-package-version }}"
+          source_branch: "release/${{ needs.validate-version.outputs.version }}"
           destination_branch: "master"
-          pr_title: "release/${{ inputs.dbt-package-version }}"
+          pr_title: "release/${{ needs.validate-version.outputs.version }}"
           pr_body: "Open automatically using bump version workflow"
           github_token: ${{ secrets.GITHUB_TOKEN }}