Skip to content

chore(ci): give new workspace comment workflow correct perms #2606

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
hopehadfield wants to merge 1 commit into
base: main
Choose a base branch
from
+2 −1
Open

chore(ci): give new workspace comment workflow correct perms #2606

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .github/workflows/new-workspace-pr-comment.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Comment on PRs that add a workspace

on:
pull_request:
pull_request_target:
Copy link
Copy Markdown

@rhdh-qodo-merge rhdh-qodo-merge bot Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. Privileged checkout of pr 🐞 Bug ⛨ Security

The workflow now runs on pull_request_target with write permissions, but still checks out the PR
head SHA, making attacker-controlled repository content available in a privileged job context. This
creates a critical token/permission abuse vector if any step (now or in the future) executes or
sources code from the checked-out workspace.
Agent Prompt 
### Issue description
`pull_request_target` runs with base-repo context and a write-capable token. Checking out the PR head SHA in that job makes attacker-controlled code/content available, which is a known GitHub Actions security anti-pattern.

### Issue Context
The workflow only needs to detect whether `workspaces/` gained new top-level directories and then post a comment.

### Fix Focus Areas
- .github/workflows/new-workspace-pr-comment.yml[1-40]

### Suggested fix
- Do **not** check out `github.event.pull_request.head.sha` in a `pull_request_target` job.
- Prefer one of:
  1) Checkout the base (`ref: ${{ github.event.pull_request.base.sha }}`) and then `git fetch` the PR head into a separate ref and use `git ls-tree <sha>:workspaces` without checking out the PR content into the working tree; or
  2) Avoid checkout entirely and use GitHub API to compare tree contents (read-only operations) while keeping write permissions only for the comment step.
- If you must access PR content, only check out the minimal paths needed (similar to `validate-codeowners.yml`’s `git checkout pr-head -- <path>` pattern).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

types: [opened, reopened, synchronize]
branches: [main]

Expand Down Expand Up @@ -30,6 +30,7 @@ jobs:
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0
persist-credentials: false

- name: Fetch base commit
run: git fetch --no-tags origin ${{ github.event.pull_request.base.sha }}
Expand Down
Loading