Skip to content

ci: Fix authorization logic in pull_request_target workflows#223

Merged
rm3l merged 1 commit intoredhat-developer:mainfrom
rm3l:ci_fix_authz_logic_on_pull_request_target_workflows
Aug 27, 2025
Merged

ci: Fix authorization logic in pull_request_target workflows#223
rm3l merged 1 commit intoredhat-developer:mainfrom
rm3l:ci_fix_authz_logic_on_pull_request_target_workflows

Conversation

@rm3l
Copy link
Copy Markdown
Member

@rm3l rm3l commented Aug 27, 2025
edited by sourcery-ai Bot
Loading

Description

Otherwise, they might be tricked into executing arbitrary code.

Which issue(s) does this PR fix or relate to

More details in https://boostsecurity.io/blog/weaponizing-dependabot-pwn-request-at-its-finest

PR acceptance criteria

  • Tests
  • Documentation

How to test changes / Special notes to the reviewer

Summary by Sourcery

Fix authorization logic in pull_request_target workflows to prevent executing untrusted code from forks by basing environment assignment on pull request author and checking out the commit SHA instead of branch ref.

CI:

  • Assign environment based on pull request user login rather than the GitHub actor
  • Checkout the specific commit SHA instead of the branch ref in pull_request_target workflows

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Aug 27, 2025

Quality Gate Failed Quality Gate failed

Failed conditions
1 Security Hotspot

See analysis details on SonarQube Cloud

sourcery-ai[bot]
sourcery-ai Bot reviewed Aug 27, 2025
View reviewed changes
Copy link
Copy Markdown

@sourcery-ai sourcery-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey there - I've reviewed your changes - here's some feedback:

  • The hard-coded approvers list in the workflow contains duplicate entries—consider deduplicating or extracting it into a single variable/file to improve maintainability.
  • Ensure that passing the pull request SHA via the ref input is supported by this pinned actions/checkout version, or consider using the dedicated commit input for clarity.
Prompt for AI Agents 
Please address the comments from this code review:
## Overall Comments
- The hard-coded approvers list in the workflow contains duplicate entries—consider deduplicating or extracting it into a single variable/file to improve maintainability.
- Ensure that passing the pull request SHA via the `ref` input is supported by this pinned `actions/checkout` version, or consider using the dedicated `commit` input for clarity.
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@rm3l
Copy link
Copy Markdown
Member Author

rm3l commented Aug 27, 2025

/cherry-pick release-1.6
/cherry-pick release-1.7

@openshift-cherrypick-robot
Copy link
Copy Markdown

openshift-cherrypick-robot commented Aug 27, 2025

@rm3l: once the present PR merges, I will cherry-pick it on top of release-1.6, release-1.7 in new PRs and assign them to you.

Details

In response to this:

/cherry-pick release-1.6
/cherry-pick release-1.7

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@rm3l rm3l merged commit 57aa46b into redhat-developer:main Aug 27, 2025
6 of 8 checks passed
@rm3l rm3l deleted the ci_fix_authz_logic_on_pull_request_target_workflows branch August 27, 2025 18:13
@openshift-cherrypick-robot
Copy link
Copy Markdown

openshift-cherrypick-robot commented Aug 27, 2025

@rm3l: #223 failed to apply on top of branch "release-1.6":

Applying: ci: Fix authorization logic in pull_request_target workflows
Using index info to reconstruct a base tree...
A	.github/workflows/pre-commit.yaml
Falling back to patching base and 3-way merge...
CONFLICT (modify/delete): .github/workflows/pre-commit.yaml deleted in HEAD and modified in ci: Fix authorization logic in pull_request_target workflows. Version ci: Fix authorization logic in pull_request_target workflows of .github/workflows/pre-commit.yaml left in tree.
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config advice.mergeConflict false"
Patch failed at 0001 ci: Fix authorization logic in pull_request_target workflows
Details

In response to this:

/cherry-pick release-1.6
/cherry-pick release-1.7

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-cherrypick-robot
Copy link
Copy Markdown

openshift-cherrypick-robot commented Aug 27, 2025

@rm3l: new pull request created: #224

Details

In response to this:

/cherry-pick release-1.6
/cherry-pick release-1.7

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Aug 27, 2025
Merged
@rm3l rm3l mentioned this pull request Oct 16, 2025
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

@Fortune-Ndlovu Fortune-Ndlovu Awaiting requested review from Fortune-Ndlovu

@subhashkhileri subhashkhileri Awaiting requested review from subhashkhileri

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rm3l @openshift-cherrypick-robot