fix(ci)(security): revert gate-check-v3 checkout to base SHA (internal#116 footgun)
Some checks failed
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 16s
CI / Detect changes (pull_request) Successful in 45s
E2E API Smoke Test / detect-changes (pull_request) Successful in 51s
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 19s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 50s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 20s
qa-review / approved (pull_request) Failing after 18s
Handlers Postgres Integration / detect-changes (pull_request) Successful in 50s
security-review / approved (pull_request) Failing after 16s
gate-check-v3 / gate-check (pull_request) Failing after 30s
sop-tier-check / tier-check (pull_request) Successful in 18s
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 46s
CI / Shellcheck (E2E scripts) (pull_request) Successful in 10s
CI / Platform (Go) (pull_request) Successful in 14s
CI / Canvas (Next.js) (pull_request) Successful in 12s
CI / Python Lint & Test (pull_request) Successful in 11s
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 9s
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 9s
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 12s
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 14s
audit-force-merge / audit (pull_request) Successful in 19s
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Some checks failed
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 16s
CI / Detect changes (pull_request) Successful in 45s
E2E API Smoke Test / detect-changes (pull_request) Successful in 51s
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 19s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 50s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 20s
qa-review / approved (pull_request) Failing after 18s
Handlers Postgres Integration / detect-changes (pull_request) Successful in 50s
security-review / approved (pull_request) Failing after 16s
gate-check-v3 / gate-check (pull_request) Failing after 30s
sop-tier-check / tier-check (pull_request) Successful in 18s
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 46s
CI / Shellcheck (E2E scripts) (pull_request) Successful in 10s
CI / Platform (Go) (pull_request) Successful in 14s
CI / Canvas (Next.js) (pull_request) Successful in 12s
CI / Python Lint & Test (pull_request) Successful in 11s
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 9s
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 9s
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 12s
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 14s
audit-force-merge / audit (pull_request) Successful in 19s
CI / Canvas Deploy Reminder (pull_request) Has been skipped
pull_request_target runs with the repo's secrets-context. Checking out github.event.pull_request.head.sha means a PR that modifies tools/gate-check-v3/gate_check.py executes that modified script with secrets. This is the canonical pull_request_target footgun. Fix: checkout base SHA instead of head SHA for pull_request_target events. Bug-1 (self-loop exclusion) and Bug-3 (403→exit0) from #547 are kept; only the checkout-ref regresses to the pre-#547 base-branch behavior. Refs: #551, internal#116, RFC#324 A4, feedback_pull_request_target_workflow_from_base Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
parent
6a49bb3a77
commit
f36052b0ff
@ -40,16 +40,15 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
continue-on-error: true # Never block on our own detector failing
|
||||
steps:
|
||||
- name: Check out PR branch (head) for the script
|
||||
# NOTE: we intentionally check out the HEAD/PR branch here — not the base.
|
||||
# This is required so that script fixes in PR branches (e.g. the self-loop
|
||||
# exclusion in signal_6_ci) are actually used when evaluating that PR.
|
||||
# Security: this job runs with continue-on-error: true and does not
|
||||
# execute arbitrary PR code — it only runs the gate-check script which
|
||||
# is read-only (API reads + JSON stdout).
|
||||
- name: Check out BASE ref (never PR-head under pull_request_target)
|
||||
# pull_request_target runs with repo secrets-context, so checking out
|
||||
# the PR HEAD would execute PR-branch gate_check.py with secrets.
|
||||
# Fix: always load gate_check.py from the trusted base/default ref.
|
||||
# Bug-1 (self-loop exclusion) + Bug-3 (403→exit0) from #547 are
|
||||
# kept; only this checkout-ref regresses to pre-#547 behavior.
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.head.sha }}
|
||||
ref: ${{ github.event.pull_request.base.sha || github.ref_name }}
|
||||
|
||||
- name: Run gate-check-v3 (single PR mode)
|
||||
if: github.event_name == 'pull_request_target' || github.event.inputs.pr_number != ''
|
||||
|
||||
Loading…
Reference in New Issue
Block a user