CI Workflow updates (#313)

* Harden GitHub workflows against unsafe writes

* Harden agent verification workflows

* Extract archives atomically in verification

* Harden workflow agent execution and URL checks

* Harden workflow sandbox process handling

* Retry transient DNS failures during validation

* Harden protocol matrix artifact handling

Author: benbrandt

.github/workflows/build-registry.yml

@@ -28,7 +28,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Install uv
         uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b
@@ -53,13 +55,15 @@ jobs:
       agent_ids: ${{ steps.list-agents.outputs.ids }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Install uv
         uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b
 
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: "lts/*"
 
@@ -77,7 +81,7 @@ jobs:
 
       - name: Upload artifacts
         if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main'
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: registry
           path: dist/
@@ -93,13 +97,15 @@ jobs:
       matrix:
         agent_id: ${{ fromJson(needs.build.outputs.agent_ids) }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Install uv
         uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b
 
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: "lts/*"
 
@@ -117,10 +123,12 @@ jobs:
       S3_PREFIX: registry/v1
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Download artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: registry
           path: dist/
@@ -167,15 +175,16 @@ jobs:
     if: always() && !failure() && !cancelled() && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: read
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Download artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: registry
           path: dist/
@@ -204,9 +213,12 @@ jobs:
             NOTES="- Initial release"
           fi
 
-          echo "notes<<EOF" >> "$GITHUB_OUTPUT"
-          echo "$NOTES" >> "$GITHUB_OUTPUT"
-          echo "EOF" >> "$GITHUB_OUTPUT"
+          NOTES_DELIMITER="$(uuidgen)"
+          {
+            echo "notes<<$NOTES_DELIMITER"
+            printf '%s\n' "$NOTES"
+            echo "$NOTES_DELIMITER"
+          } >> "$GITHUB_OUTPUT"
         env:
           GH_TOKEN: ${{ steps.generate-token.outputs.token }}
 

.github/workflows/build_registry.py

@@ -3,11 +3,14 @@
 
 import argparse
 import copy
+import ipaddress
 import json
 import os
 import re
+import socket
 import sys
 import urllib.error
+import urllib.parse
 import urllib.request
 import xml.etree.ElementTree as ET
 from pathlib import Path
@@ -54,22 +57,96 @@
     "true",
     "yes",
 )
+MAX_URL_REDIRECTS = 5
 
 
-def url_exists(url: str, method: str = "HEAD", retries: int = 3) -> bool:
+class NoRedirectHandler(urllib.request.HTTPRedirectHandler):
+    """Disable urllib's implicit redirects so each target can be validated first."""
+
+    def redirect_request(self, req, fp, code, msg, headers, newurl):  # noqa: ANN001
+        return None
+
+
+URL_OPENER = urllib.request.build_opener(NoRedirectHandler)
+
+
+class UrlSafetyResolutionError(Exception):
+    """Raised when URL safety DNS resolution fails before the request attempt."""
+
+
+def is_public_https_url(url: str, retry_dns_errors: bool = False) -> bool:
+    """Return whether URL validation may safely request this target."""
+    parsed = urllib.parse.urlparse(url)
+    if parsed.scheme != "https" or not parsed.hostname:
+        return False
+
+    hostname = parsed.hostname.strip().lower()
+    if hostname in {"localhost", "localhost.localdomain"} or hostname.endswith(".localhost"):
+        return False
+
+    try:
+        addresses = socket.getaddrinfo(hostname, parsed.port or 443, type=socket.SOCK_STREAM)
+    except OSError as exc:
+        if retry_dns_errors:
+            raise UrlSafetyResolutionError from exc
+        return False
+
+    for *_, sockaddr in addresses:
+        try:
+            ip = ipaddress.ip_address(sockaddr[0])
+        except ValueError:
+            return False
+        if not ip.is_global or ip.is_multicast:
+            return False
+
+    return bool(addresses)
+
+
+def url_exists(
+    url: str,
+    method: str = "HEAD",
+    retries: int = 3,
+    redirects_remaining: int = MAX_URL_REDIRECTS,
+) -> bool:
     """Check if a URL exists using HEAD or GET request with retries."""
     import time
 
     for attempt in range(retries):
         try:
+            if not is_public_https_url(url, retry_dns_errors=True):
+                return False
             req = urllib.request.Request(url, method=method)
             req.add_header("User-Agent", "ACP-Registry-Validator/1.0")
-            with urllib.request.urlopen(req, timeout=15) as response:
+            with URL_OPENER.open(req, timeout=15) as response:
                 return response.status in (200, 301, 302)
+        except UrlSafetyResolutionError:
+            if attempt < retries - 1:
+                time.sleep(2**attempt)
+                continue
+            return False
         except urllib.error.HTTPError as e:
+            if e.code in (301, 302, 303, 307, 308):
+                if redirects_remaining <= 0:
+                    return False
+                location = e.headers.get("Location")
+                if not location:
+                    return False
+                next_url = urllib.parse.urljoin(url, location)
+                next_method = "GET" if e.code == 303 else method
+                return url_exists(
+                    next_url,
+                    method=next_method,
+                    retries=retries,
+                    redirects_remaining=redirects_remaining - 1,
+                )
             # Some servers don't support HEAD, try GET
             if method == "HEAD" and e.code in (403, 405):
-                return url_exists(url, method="GET", retries=retries - attempt)
+                return url_exists(
+                    url,
+                    method="GET",
+                    retries=retries - attempt,
+                    redirects_remaining=redirects_remaining,
+                )
             if attempt < retries - 1 and e.code in (429, 500, 502, 503, 504):
                 time.sleep(2**attempt)
                 continue

.github/workflows/client.py

@@ -13,6 +13,30 @@
 from dataclasses import dataclass, field
 from pathlib import Path
 
+from registry_utils import sanitize_agent_env, subprocess_group_kwargs, terminate_process_group
+
+AGENT_ENV_PASSTHROUGH = {
+    "CI",
+    "COMSPEC",
+    "NPM_CONFIG_CACHE",
+    "NODE_EXTRA_CA_CERTS",
+    "PATH",
+    "PATHEXT",
+    "PYTHON_KEYRING_BACKEND",
+    "PYTHON_KEYRING_DISABLED",
+    "REQUESTS_CA_BUNDLE",
+    "SSL_CERT_DIR",
+    "SSL_CERT_FILE",
+    "SystemRoot",
+    "TMP",
+    "TMPDIR",
+    "TEMP",
+    "UV_CACHE_DIR",
+    "WINDIR",
+    "XDG_CACHE_HOME",
+    "XDG_CONFIG_HOME",
+}
+
 
 @dataclass
 class AuthMethod:
@@ -154,6 +178,8 @@ def run_auth_check(
     cwd: Path,
     env: dict[str, str] | None = None,
     timeout: float = 60.0,
+    home_dir: Path | None = None,
+    prepend_path: list[str] | None = None,
 ) -> AuthCheckResult:
     """Verify an agent supports ACP authentication.
 
@@ -166,16 +192,25 @@ def run_auth_check(
     Returns:
         AuthCheckResult with success status and auth methods
     """
-    # Build isolated environment
-    full_env = os.environ.copy()
+    # Build isolated environment without leaking GitHub Actions credentials or workspace paths.
+    full_env = {
+        name: value
+        for name in AGENT_ENV_PASSTHROUGH
+        if (value := os.environ.get(name)) not in (None, "")
+    }
     full_env["TERM"] = "dumb"
-    if env:
-        full_env.update(env)
+    full_env.update(sanitize_agent_env(env))
 
     # Use a temporary directory as HOME if not specified
-    if "HOME" not in (env or {}):
-        sandbox_home = tempfile.mkdtemp(prefix="acp-auth-check-")
-        full_env["HOME"] = sandbox_home
+    if home_dir is None:
+        home_dir = Path(tempfile.mkdtemp(prefix="acp-auth-check-"))
+    else:
+        home_dir.mkdir(parents=True, exist_ok=True)
+    full_env["HOME"] = str(home_dir)
+
+    if prepend_path:
+        base_path = full_env.get("PATH", os.environ.get("PATH", ""))
+        full_env["PATH"] = os.pathsep.join([*prepend_path, base_path])
 
     proc = None
     t0 = time.monotonic()
@@ -195,6 +230,7 @@ def run_auth_check(
             stderr=subprocess.PIPE,
             text=True,
             bufsize=0,
+            **subprocess_group_kwargs(),
         )
 
         # Send initialize request with capabilities
@@ -281,8 +317,4 @@ def run_auth_check(
         )
     finally:
         if proc:
-            proc.terminate()
-            try:
-                proc.wait(timeout=2)
-            except subprocess.TimeoutExpired:
-                proc.kill()
+            terminate_process_group(proc)