fix(ci)(security): revert gate-check-v3 checkout to base SHA (#551) #556
Merged
infra-runtime-be
merged 1 commits from 2026-05-11 19:41:50 +00:00
ci/551-gate-checkout-trusted-ref into main
1 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
| f36052b0ff |
fix(ci)(security): revert gate-check-v3 checkout to base SHA (internal#116 footgun)
Some checks failed
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 16s
CI / Detect changes (pull_request) Successful in 45s
E2E API Smoke Test / detect-changes (pull_request) Successful in 51s
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 19s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 50s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 20s
qa-review / approved (pull_request) Failing after 18s
Handlers Postgres Integration / detect-changes (pull_request) Successful in 50s
security-review / approved (pull_request) Failing after 16s
gate-check-v3 / gate-check (pull_request) Failing after 30s
sop-tier-check / tier-check (pull_request) Successful in 18s
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 46s
CI / Shellcheck (E2E scripts) (pull_request) Successful in 10s
CI / Platform (Go) (pull_request) Successful in 14s
CI / Canvas (Next.js) (pull_request) Successful in 12s
CI / Python Lint & Test (pull_request) Successful in 11s
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 9s
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 9s
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 12s
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 14s
audit-force-merge / audit (pull_request) Successful in 19s
CI / Canvas Deploy Reminder (pull_request) Has been skipped
pull_request_target runs with the repo's secrets-context. Checking out github.event.pull_request.head.sha means a PR that modifies tools/gate-check-v3/gate_check.py executes that modified script with secrets. This is the canonical pull_request_target footgun. Fix: checkout base SHA instead of head SHA for pull_request_target events. Bug-1 (self-loop exclusion) and Bug-3 (403→exit0) from #547 are kept; only the checkout-ref regresses to the pre-#547 base-branch behavior. Refs: #551, internal#116, RFC#324 A4, feedback_pull_request_target_workflow_from_base Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> |
