Skip to content

Commit 1c1d1a4

Browse files
committed
chore(ci): harden package_for_test against untrusted PR checkout
- Require maintainer approval via package-for-test environment for issue_comment triggers. - Do not expose GITHUB_TOKEN to packaging steps when triggered by PR comments. - Restrict slash command to exact "/package" body. - Use --frozen-lockfile on yarn install for PR-comment builds. - Add SECURITY NOTE about keeping refs/pull/<n>/merge checkout.
1 parent 36ed62d commit 1c1d1a4

1 file changed

Lines changed: 22 additions & 6 deletions

File tree

.github/workflows/package_for_test.yml

Lines changed: 22 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,24 @@
11
name: Package Neuron for Test
22

3-
on:
3+
# SECURITY NOTE: This workflow runs on issue_comment events, which execute in the
4+
# base repository context where secrets are available. We intentionally checkout
5+
# refs/pull/<number>/merge instead of the PR author's fork (head_owner/head_repo)
6+
# to avoid explicit untrusted-repository checkout. Do NOT revert to fork-based
7+
# checkout without a full security review.
8+
# See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests
9+
on:
410
issue_comment:
511
types: [created]
612
push:
713

814
jobs:
915
packaging:
10-
if: ${{ (github.event_name == 'issue_comment' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/package') && contains(fromJSON('["OWNER", "COLLABORATOR"]'), github.event.comment.author_association)) || github.event_name == 'push' }}
16+
# Only respond to an exact /package comment from an OWNER/COLLABORATOR on a
17+
# pull request, or to trusted push events.
18+
if: ${{ (github.event_name == 'issue_comment' && github.event.issue.pull_request && github.event.comment.body == '/package' && contains(fromJSON('["OWNER", "COLLABORATOR"]'), github.event.comment.author_association)) || github.event_name == 'push' }}
19+
20+
# Require a maintainer to approve before PR code runs in this privileged context.
21+
environment: ${{ github.event_name == 'issue_comment' && 'package-for-test' || '' }}
1122

1223
strategy:
1324
matrix:
@@ -102,8 +113,10 @@ jobs:
102113
run: yarn global add lerna
103114

104115
- name: Bootstrap
116+
# Use --frozen-lockfile when triggered by a PR comment so that a malicious
117+
# PR cannot silently introduce unaudited dependencies during packaging.
105118
run: |
106-
yarn
119+
yarn ${{ github.event_name == 'issue_comment' && '--frozen-lockfile' || '' }}
107120
env:
108121
CI: false
109122

@@ -122,7 +135,8 @@ jobs:
122135
./scripts/download-ckb.sh mac
123136
yarn package:test mac
124137
env:
125-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
138+
# Do not expose GITHUB_TOKEN to PR code. Only pass it for trusted push events.
139+
GITHUB_TOKEN: ${{ github.event_name == 'push' && secrets.GITHUB_TOKEN || '' }}
126140
SKIP_NOTARIZE: true
127141
USE_HARD_LINKS: false
128142

@@ -134,15 +148,17 @@ jobs:
134148
bash ./scripts/copy-ui-files.sh
135149
bash ./scripts/package-for-test.sh win
136150
env:
137-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
151+
# Do not expose GITHUB_TOKEN to PR code. Only pass it for trusted push events.
152+
GITHUB_TOKEN: ${{ github.event_name == 'push' && secrets.GITHUB_TOKEN || '' }}
138153

139154
- name: Package for Linux
140155
if: runner.os == 'Linux'
141156
run: |
142157
./scripts/download-ckb.sh
143158
yarn package:test linux
144159
env:
145-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
160+
# Do not expose GITHUB_TOKEN to PR code. Only pass it for trusted push events.
161+
GITHUB_TOKEN: ${{ github.event_name == 'push' && secrets.GITHUB_TOKEN || '' }}
146162
USE_HARD_LINKS: false
147163

148164
- name: Upload Neuron App Zip

0 commit comments

Comments
 (0)