-
Notifications
You must be signed in to change notification settings - Fork 61
security: harden sdk-regression issue_comment workflow — pin actions, scope permissions + token (PER-8610) #2332
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Shivanshu-07
merged 3 commits into
master
from
security/PER-8610-issue-comment-hardening
Jul 15, 2026
+20
−7
Merged
Changes from all commits
Commits
Show all changes
3 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good — moving job-id lookup + commit-status steps to the built-in
github.tokenand adding onlyactions: readis exactly right.P2 (residual — track, don't block): the PAT is still handed to the third-party
convictional/trigger-workflow-and-wait. Unavoidable for cross-repo dispatch (the built-in token can't dispatch other repos), and SHA-pinning limits the code that receives it — but to shrink blast radius, prefer a fine-grained PAT scoped to just the SDK repos +actions:write, or a short-lived GitHub App installation token minted per run. (Can't verify the PAT's scope from the workflow — flag for secret-config review.)P3 (pre-existing): the "Output Current Job Log URL" step around line 150 echoes
steps.jobs.outputs.html_url, but the step id isjob-url— so it always echoes empty. Since this PR is already the workflow-cleanup PR, cheap to fix the reference or drop the step. Also consider bumpingactions/github-scriptoff the 2021-era v4.1.0 (SHA-pinned, so not urgent).There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. P3 fixed in 53c174f — the "Output Current Job Log URL" step now references
steps.job-url.outputs.html_url(the actual step id) instead of the emptysteps.jobs...; the commit-statustarget_urlalready used the correct id. Left the SHA-pinnedactions/github-scriptas-is (not urgent, per your note).P2 (PAT to the third-party dispatch action): agreed it's a residual we can't remove in-workflow (the built-in token can't dispatch other repos). Flagging for secret-config review to move it to a fine-grained PAT scoped to the SDK repos +
actions:write(or a per-run GitHub App installation token) — tracked as a follow-up, not in this workflow-cleanup PR.