Conversation
|
Good. Now let me think about the actual security concern and verify correctness of the In GitHub Actions expressions,
This is correct behavior. Now the real security question: Is The allowed values This is a legitimate security hardening. The change is correct and addresses a real privilege escalation vector. Let me check one more thing -- whether there's any edge case with the
The change looks correct and is a meaningful security improvement. There are no actionable issues. LGTM |
|
/bonk re-review after you read and research how the underlying ask-bonk action enforces You cannot only look at the workflow files within this repo. You must look at the full upstream action and code. Throughly review https://github.com/ask-bonk/ask-bonk/blob/main/github/action.yml#L25-L28 before you come back. |
|
As a data point: Claude Code's GitHub Action does this the same way (write users only): https://github.com/anthropics/claude-code-action/blob/main/action.yml - it does not have to be re-defined in the consuming repo's action (which is easy to get wrong / puts the burden on the consumer/user to get right) |
![ask-bonk[bot]](https://avatars.githubusercontent.com/in/2454580?s=60&v=4){kind=small}
There was a problem hiding this comment.
The author_association check is redundant with the upstream ask-bonk action's built-in permission enforcement and has a functional correctness issue. Details in inline comment.
This review was generated by an AI assistant (OpenCode/Claude) and may contain errors. Please verify all findings independently.
| if: >- | ||
| github.event.sender.type != 'Bot' && | ||
| contains(github.event.comment.body, '/bigbonk') && | ||
| contains( | ||
| fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), | ||
| github.event.comment.author_association || github.event.review.author_association | ||
| ) | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 30 | ||
| permissions: |
There was a problem hiding this comment.
Two issues with this if expression:
1. The author_association check is redundant with the action's built-in enforcement.
The ask-bonk action already enforces permission checks server-side before OpenCode is installed or invoked. Looking at the action.yml inputs:
permissions:
description: "Required permission level: 'admin', 'write', 'any', or 'CODEOWNERS'"
required: false
default: "write"This workflow passes permissions: write on line 47, matching the default. The action's orchestrate.ts checkPermissions() function is the first thing executed in main(). It calls the GitHub API (/repos/{owner}/{repo}/collaborators/{actor}/permission) and halts the job via core.setFailed() if the actor doesn't have write access. This happens before OIDC token exchange, before OpenCode installation, and before any secrets are consumed by the model process.
As @elithrar noted, this is the same pattern used by claude-code-action — the action itself is the authorization boundary, not the workflow if condition. Duplicating authorization logic in the consuming workflow is fragile (as demonstrated by issue #2 below) and creates a false sense of security while the real enforcement happens elsewhere.
The PR description's framing of "privilege-escalation and secret-exfiltration risk" is inaccurate — that risk is already mitigated by the action's built-in check.
2. The mention check doesn't work for pull_request_review events.
Line 19 checks github.event.comment.body for /bigbonk, but for pull_request_review events the trigger text would be in github.event.review.body. This bug existed before this PR (the original if had the same issue), so it's not a regression, but it means the author_association guard on lines 20-23 is only exercised for issue_comment events since pull_request_review invocations are already blocked by the faulty mention check.
Recommendation: Revert this change. The action's built-in permissions: write enforcement is the correct and complete authorization boundary. If you want the minor optimization of avoiding runner allocation for unauthorized commenters, that should be handled at the action level (which already does mention matching in its own Check mentions step), not duplicated in every consuming workflow.
|
Review posted successfully on PR #6207. Here's a summary of my findings: Review SummaryREQUEST_CHANGES posted on PR #6207. Key Findings
|
3 participants
Motivation
bigbonkworkflow could be triggered by any non-bot commenter while running withid-token: write, repo write permissions, and injected Cloudflare secrets, creating a CI privilege-escalation and secret-exfiltration risk.Description
ifexpression in.github/workflows/bigbonk.ymlto require that the comment/review author association is one ofOWNER,MEMBER, orCOLLABORATORin addition to the existing non-bot and/bigbonkmention checks.fromJSON('["OWNER","MEMBER","COLLABORATOR"]')and testsgithub.event.comment.author_association || github.event.review.author_associationto block untrusted external commenters.Testing
sed -n '1,220p' .github/workflows/bigbonk.ymlandnl -ba .github/workflows/bigbonk.yml, which showed the newifexpression as intended (succeeded).git diff -- .github/workflows/bigbonk.ymlto inspect the patch (succeeded).git ls-remotebut the network check failed due to environment/proxy restrictions (failed).Codex Task