Skip to content

Commit 21ce876

Browse files
authored
Merge pull request #3 from e271828-/codex/security-gha-pr-token-exfil
Harden external-PR workflows and restrict command triggers
2 parents 666c0ef + e2ebec7 commit 21ce876

File tree

3 files changed

+9
-5
lines changed

3 files changed

+9
-5
lines changed

.github/workflows/e2e-external-phase-1.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,9 @@ jobs:
1010
# If reviewed by a repo(/org) owner
1111
if: |
1212
github.event.pull_request.author_association != 'MEMBER'
13-
&& github.event.review.author_association == 'MEMBER'
13+
&& (
14+
contains(fromJson('["OWNER", "MEMBER"]'), github.event.review.author_association)
15+
)
1416
&& github.event.review.state == 'approved'
1517
&& contains(github.event.review.body, '/e2e')
1618
runs-on: ubuntu-latest

.github/workflows/e2e-external-phase-2.yml

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -83,10 +83,6 @@ jobs:
8383

8484
- name: Checkout
8585
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
86-
with:
87-
# Important: use the commit that was reviewed. GitHub is making sure
88-
# that this is race-condition-proof
89-
ref: ${{ steps.extract_commit.outputs.COMMIT_ID }}
9086

9187
- name: Install uv
9288
uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5.4.1

.github/workflows/e2e-private-link-in-pr.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,9 @@ jobs:
1010
if: |
1111
github.event.issue.pull_request
1212
&& contains(github.event.comment.body, '/invite')
13+
&& (
14+
contains(fromJson('["OWNER", "MEMBER"]'), github.event.comment.author_association)
15+
)
1316
runs-on: ubuntu-latest
1417
strategy:
1518
matrix:
@@ -42,6 +45,9 @@ jobs:
4245
if: |
4346
github.event.issue.pull_request
4447
&& contains(github.event.comment.body, '/invite')
48+
&& (
49+
contains(fromJson('["OWNER", "MEMBER"]'), github.event.comment.author_association)
50+
)
4551
runs-on: ubuntu-latest
4652
permissions:
4753
pull-requests: write

0 commit comments

Comments
 (0)