harden testing workflows (env-var policy + permissions + SHA-pin)

[GuyEshdat]

Summary

Hardens the dbt warehouse-test and stale-schema-cleanup workflows.

• Defense-in-depth: every ${{ }} expression inside run: blocks is now passed through env:. Applies to inputs, github context, matrix values, and ternary-style conditional values. None of these are externally exploitable today (matrix values are hardcoded; inputs are write-access-only via workflow_dispatch), but the env-var pattern is now consistent across the workflow surface area.
• inputs.max-age-hours is fail-closed: validated against ^[0-9]+$ before reaching dbt run-operation.
• SHA-pinned pmeier/pytest-results-action@v0.8.0 (this action runs in the job that has cloud DWH credentials in env).
• Default-deny GITHUB_TOKEN: top-level permissions: {}, jobs declare the minimum they need (everything in this PR is contents: read).

Test plan

• PR triggers pull_request (internal) and pull_request_target (fork) flows correctly.
• Cloud and local warehouse tests still pass.
• Cleanup workflow on schedule still drops stale schemas.
• workflow_dispatch of cleanup with invalid max-age-hours (e.g. 24abc) fails at validation.

Made with Cursor

Summary by CodeRabbit

• Chores
  • Hardened CI security by tightening token permissions across workflows.
  • Improved workflow reliability with input validation for age limits, safer path handling, and clearer environment-variable usage.
  • Simplified and standardized dependency/install and invocation steps for data-tooling to reduce flakiness.
  • Made test reporting and run configuration more consistent (includes target/version in outputs) and pinned reporting integration for stability.

[linear]

CORE-684 harden workflows for dbt-package

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d4b04dec-f780-4f00-861e-ebfa6b52a102

📥 Commits

Reviewing files that changed from the base of the PR and between 3fcd502 and c7638b8.

📒 Files selected for processing (1)

• .github/workflows/test-warehouse.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/test-warehouse.yml

---

📝 Walkthrough

Walkthrough

Workflows were tightened with least-privilege permissions, job-level env vars were added, and dbt install/execution logic was refactored and made more robust across multiple GitHub Actions workflows.

Changes

Cohort / File(s)	Summary
Permission hardening & fork-detection .github/workflows/.../test-all-warehouses.yml	Adds top-level permissions: {} and job-level permissions: contents: read where needed. Updates fork-detection job to run with no permissions, moves GitHub context lookups into job env, and quotes "$GITHUB_OUTPUT" writes.
Permission hardening & dbt refactor (cleanup) .github/workflows/.../cleanup-stale-schemas.yml	Sets workflow/job permissions, adds WAREHOUSE and MAX_AGE_HOURS env vars, validates max-age-hours as non-negative integer, refactors dbt adapter resolution into DBT_ADAPTER_PKG and single pip install, quotes symlink paths, and uses validated MAX_AGE_HOURS in the dbt run-operation invocation.
Permission hardening & dbt refactor (per-warehouse tests) .github/workflows/.../test-warehouse.yml	Adds top-level empty permissions and job-level contents: read; introduces job WAREHOUSE and DBT_VERSION env vars; consolidates dbt install via env-driven pins (DBT_CORE_PIN, DBT_ADAPTER_PKG, etc.), replaces adapter if/else with case "$WAREHOUSE", computes DBT_BIN per step, parameterizes pytest output names, and pins pytest-results action to a commit SHA.
Simple permission hardening (pre-releases) .github/workflows/.../test-all-warehouses-dbt-pre-releases.yml	Adds workflow-level permissions: {} and grants only contents: read to the delegated test job; no other functional changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 Pipelines snug in tighter seams,
Env vars lined up like tidy dreams,
Adapters chosen, checks run neat,
Outputs quoted, symlinks meet,
I hop and hum — CI now fleet. 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the primary changes: hardening workflows through environment variable policy, permissions restrictions, and SHA pinning.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch core-684-harden-testing-workflows

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

👋 @GuyEshdat
Thank you for raising your pull request.
Please make sure to add tests and document all user-facing changes.
You can do this by editing the docs files in the elementary repository.