11name : Package Neuron for Test
22
3- on :
3+ # SECURITY NOTE: This workflow runs on issue_comment events, which execute in the
4+ # base repository context where secrets are available. We intentionally checkout
5+ # refs/pull/<number>/merge instead of the PR author's fork (head_owner/head_repo)
6+ # to avoid explicit untrusted-repository checkout. Do NOT revert to fork-based
7+ # checkout without a full security review.
8+ # See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests
9+ on :
410 issue_comment :
511 types : [created]
612 push :
713
814jobs :
915 packaging :
10- if : ${{ (github.event_name == 'issue_comment' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/package') && contains(fromJSON('["OWNER", "COLLABORATOR"]'), github.event.comment.author_association)) || github.event_name == 'push' }}
16+ # Only respond to an exact /package comment from an OWNER/COLLABORATOR on a
17+ # pull request, or to trusted push events.
18+ if : ${{ (github.event_name == 'issue_comment' && github.event.issue.pull_request && github.event.comment.body == '/package' && contains(fromJSON('["OWNER", "COLLABORATOR"]'), github.event.comment.author_association)) || github.event_name == 'push' }}
19+
20+ # Require a maintainer to approve before PR code runs in this privileged context.
21+ environment : ${{ github.event_name == 'issue_comment' && 'package-for-test' || '' }}
1122
1223 strategy :
1324 matrix :
@@ -102,8 +113,10 @@ jobs:
102113 run : yarn global add lerna
103114
104115 - name : Bootstrap
116+ # Use --frozen-lockfile when triggered by a PR comment so that a malicious
117+ # PR cannot silently introduce unaudited dependencies during packaging.
105118 run : |
106- yarn
119+ yarn ${{ github.event_name == 'issue_comment' && '--frozen-lockfile' || '' }}
107120 env :
108121 CI : false
109122
@@ -122,7 +135,8 @@ jobs:
122135 ./scripts/download-ckb.sh mac
123136 yarn package:test mac
124137 env :
125- GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
138+ # Do not expose GITHUB_TOKEN to PR code. Only pass it for trusted push events.
139+ GITHUB_TOKEN : ${{ github.event_name == 'push' && secrets.GITHUB_TOKEN || '' }}
126140 SKIP_NOTARIZE : true
127141 USE_HARD_LINKS : false
128142
@@ -134,15 +148,17 @@ jobs:
134148 bash ./scripts/copy-ui-files.sh
135149 bash ./scripts/package-for-test.sh win
136150 env :
137- GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
151+ # Do not expose GITHUB_TOKEN to PR code. Only pass it for trusted push events.
152+ GITHUB_TOKEN : ${{ github.event_name == 'push' && secrets.GITHUB_TOKEN || '' }}
138153
139154 - name : Package for Linux
140155 if : runner.os == 'Linux'
141156 run : |
142157 ./scripts/download-ckb.sh
143158 yarn package:test linux
144159 env :
145- GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
160+ # Do not expose GITHUB_TOKEN to PR code. Only pass it for trusted push events.
161+ GITHUB_TOKEN : ${{ github.event_name == 'push' && secrets.GITHUB_TOKEN || '' }}
146162 USE_HARD_LINKS : false
147163
148164 - name : Upload Neuron App Zip
0 commit comments