ci: harden CI/CD security#1
Conversation
Coverage Report
|
github-actions
Bot
added
size/m
jpr5
force-pushed
the
ci/supply-chain-hardening
branch
from
a8958a4 to
9a59d26
Compare
MikeRyanDev
left a comment
MikeRyanDev
left a comment
There was a problem hiding this comment.
Blocking this hardening PR because it suppresses a still-exploitable pull_request_target pattern instead of redesigning it.
e2e-tests.yml runs on pull_request_target (line 8), checks out the PR head (line 60), configures AWS OIDC and pulls test secrets (lines 71-83), then runs package scripts/tests from that PR checkout (lines 101-115). An authorized/compromised actor can get arbitrary PR code running in a base-repo trusted job with cloud credentials and API keys available.
pr-tarball.yml has the same shape: pull_request_target (line 3), PR-head checkout and npm scripts (lines 35-50), followed by a write-scoped GH_TOKEN release step (lines 56-76). persist-credentials: false does not protect later steps; PR code can persist PATH/GITHUB_ENV changes and intercept the later token-bearing release command.
Please move untrusted PR builds to pull_request without secrets/write scopes, or split this into an explicit trusted workflow_dispatch/maintainer workflow that does not execute PR-controlled code with base-repo credentials, before suppressing these findings in .github/zizmor.yml.
…at new files e2e-tests.yml: Remove pull_request_target trigger entirely. The workflow is now workflow_dispatch-only with an optional pr_number input that checks out the PR merge ref. Maintainers trigger E2E runs manually, eliminating the risk of fork PRs executing arbitrary code with AWS credentials and API keys. The AUTHORIZED_USERS gate is removed since workflow_dispatch is already restricted to repo collaborators. pr-tarball.yml: Split into two workflows. The build step (pr-tarball.yml) now uses a plain pull_request trigger with read-only permissions — it builds the tarball and uploads it as an artifact. A new pr-tarball-publish.yml workflow triggers via workflow_run after the build succeeds, downloading the artifact and creating the draft release + PR comment with write permissions. The publish workflow runs base-branch code only, never PR-controlled code. zizmor.yml: Remove suppressions for e2e-tests.yml and pr-tarball.yml dangerous-triggers and excessive-permissions since neither workflow uses pull_request_target anymore. Also runs prettier on the three new workflow files (dependabot-auto-merge, dependabot-major-analysis, security_zizmor) and the redesigned files.
- Fix impostor commit: upload-artifact SHA was ea165f8d65b6db9a...
(nonexistent), corrected to ea165f8d65b6e75b... (v4.6.2)
- Fix template injection in e2e-tests.yml: move github.ref into
env var (GH_REF) instead of inline ${{ }} expansion in run block
- Fix version comment mismatch in codeql.yml: v4 -> v4.35.4
- Suppress workflow_run trigger warning for pr-tarball-publish.yml
(by-design split build/publish pattern, never executes PR code)
2 participants
Summary
Part of Phase 2 CI/CD supply chain hardening.