Skip to content

[codex] fix security alerts#29

Merged
parithosh merged 1 commit into
masterfrom
codex/fix-security-alerts
May 21, 2026
Merged

[codex] fix security alerts#29
parithosh merged 1 commit into
masterfrom
codex/fix-security-alerts

Conversation

@parithosh
Copy link
Copy Markdown
Member

@parithosh parithosh commented May 20, 2026

Summary

Mirrors the workflow hardening landed in ethpandaops/assertoor#183.

  • Drops caller-controlled ref inputs from reusable check/build workflows so reusable jobs check out the event SHA instead of arbitrary PR-provided refs.
  • Moves the PR build workflow (build-dev.yml) from pull_request_target to pull_request and adds explicit read-only default permissions.
  • Splits PR binary builds from Docker publishing so fork PRs do not receive DockerHub secrets, while same-repository / manual trusted Docker publishing remains available.
  • Adds explicit workflow permissions and switches internal artifact handoffs to artifact IDs to avoid artifact-name poisoning.

Validation

  • actionlint clean

🤖 Generated with Claude Code

@parithosh @claude
[codex] fix security alerts
e4caca8 
Mirrors the workflow hardening from ethpandaops/assertoor#183:
- Drop caller-controlled ref inputs from reusable check/build workflows
- Move PR build trigger from pull_request_target to pull_request
- Add explicit read-only default permissions to workflows
- Split fork-PR binary builds from Docker publishing so secrets never reach untrusted code
- Switch internal artifact handoffs to artifact IDs to avoid name poisoning

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@qu0b-reviewer
Copy link
Copy Markdown

qu0b-reviewer Bot commented May 20, 2026

🤖 qu0b-reviewer

Summary

Security-hardening PR that drops the ref input from the reusable build workflow, switches from pull_request_target to pull_request, restricts docker pushes on external PRs, hardens permissions to contents: read, and bumps several action versions. Mostly solid, but the artifact-ID refactor introduces correctness issues in workflows that consume the reusable workflow without outputs defined.

Issues

  • 🔴 blocker .github/workflows/build-master.yml, .github/workflows/build-release.yml — Both call _shared-build.yaml but neither defines needs: for the binary build jobs, so needs.build_linux_amd64_binary.outputs.artifact_id and needs.build_linux_arm64_binary.outputs.artifact_id will be empty/undefined. actions/download-artifact will silently find nothing, and the Docker images will be built without the binary artifacts.

  • 🔴 blocker _shared-build.yaml:227,252 — The two job outputs artifact_id are both named identically but resolve to different steps (upload_binary within their respective jobs). This works, but the downstream jobs in build-master.yml / build-release.yml still lack the needs: declarations entirely, making the artifact_id resolution fail at trigger time:

    Error: Unexpected input 'artifact-ids': Input required and not supplied: artifact-ids

Suggestions

  • _shared-build.yamlbuild_darwin_arm64_binary and build_windows_binary don't have outputs.artifact_id defined, so callers that also needs: those jobs would hit the same silent-failure problem. If they may be consumed by future callers, add outputs for consistency.

Reviewed @ e4caca8e
"Simplicity is prerequisite for reliability." — Edsger Dijkstra

@parithosh parithosh merged commit f3f6f62 into master May 21, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@parithosh