Skip to content

[codex] fix security alerts#69

Merged
barnabasbusa merged 2 commits into
mainfrom
codex/fix-security-alerts
May 21, 2026
Merged

[codex] fix security alerts#69
barnabasbusa merged 2 commits into
mainfrom
codex/fix-security-alerts

Conversation

@parithosh
Copy link
Copy Markdown
Member

@parithosh parithosh commented May 20, 2026

Summary

Mirrors the workflow hardening landed in ethpandaops/assertoor#183.

  • Drops caller-controlled ref inputs from reusable check/build workflows so reusable jobs check out the event SHA instead of arbitrary PR-provided refs.
  • Moves the PR build workflow (build-dev.yml) from pull_request_target to pull_request and adds explicit read-only default permissions.
  • Splits PR binary builds from Docker publishing so fork PRs do not receive DockerHub secrets, while same-repository / manual trusted Docker publishing remains available.
  • Adds explicit workflow permissions and switches internal artifact handoffs (webui-package, buildoor_linux_amd64, buildoor_linux_arm64) to artifact IDs to avoid artifact-name poisoning.

Validation

  • actionlint clean

🤖 Generated with Claude Code

@parithosh @claude
[codex] fix security alerts
8301cdd 
Mirrors the workflow hardening from ethpandaops/assertoor#183:
- Drop caller-controlled ref inputs from reusable check/build workflows
- Move PR build trigger from pull_request_target to pull_request
- Add explicit read-only default permissions to workflows
- Split fork-PR binary builds from Docker publishing so secrets never reach untrusted code
- Switch internal artifact handoffs to artifact IDs to avoid name poisoning

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@qu0b-reviewer
Copy link
Copy Markdown

qu0b-reviewer Bot commented May 20, 2026
edited
Loading

🤖 qu0b-reviewer

Summary

Hardening GitHub Actions workflows to address security concerns: removing caller-controlled ref inputs (prevents building arbitrary code), switching from pull_request_target to pull_request with fork-aware logic (prevents secret exfiltration from untrusted PRs), adding read-only permissions, and switching artifact handoffs from names to IDs (prevents name-collision attacks). No code changes.

Issues

  • 🟡 _shared-build.yaml:323build_linux_arm64_binary downloads UI artifacts into ./pkg/webui/static but build_arm64_docker_image downloads into ./pkg/webui/static/bundle. This path mismatch predates this PR but was exposed by it: when docker jobs now use artifact-ids, build_arm64_docker_image receives only what the arm64 binary job put in ./pkg/webui/static, not the UI's bundle/ subdirectory. So ./pkg/webui/static/bundle will be missing on arm64 Docker builds. Verify this doesn't break the arm64 image — or add a build-ui step before the docker build on arm64.

Suggestions

  • _shared-build.yamlbuild_linux_arm64_binary and build_linux_amd64_binary declare outputs: artifact_id but the caller build-dev.yml never reads build_linux_amd64_binary.outputs.artifact_id or build_linux_arm64_binary.outputs.artifact_id for the build_binaries / build_binaries_and_docker paths (those download by artifact-ids within _shared-build.yaml). The outputs are only consumed by docker jobs within the reusable workflow. Unused output declarations are harmless but misleading — consider removing them.

NO_REVIEW_NEEDED

Reviewed @ f47ca8e8
"Better to ask forgiveness than permission." — Grace Hopper

@barnabasbusa barnabasbusa enabled auto-merge May 21, 2026 08:02
@barnabasbusa barnabasbusa merged commit 6f249a0 into main May 21, 2026
6 of 7 checks passed
@barnabasbusa barnabasbusa deleted the codex/fix-security-alerts branch May 21, 2026 08:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@barnabasbusa barnabasbusa barnabasbusa approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@parithosh @barnabasbusa