Skip to content

security: harden sdk-regression issue_comment workflow — pin actions, scope permissions + token (PER-8610)#2332

Open
Shivanshu-07 wants to merge 1 commit into
masterfrom
security/PER-8610-issue-comment-hardening
Open

security: harden sdk-regression issue_comment workflow — pin actions, scope permissions + token (PER-8610)#2332
Shivanshu-07 wants to merge 1 commit into
masterfrom
security/PER-8610-issue-comment-hardening

Conversation

@Shivanshu-07

Copy link
Copy Markdown
Contributor

Summary

Hardens .github/workflows/sdk-regression.yml (F-012, CWE-284/CWE-269). This issue_comment-triggered workflow injects the cross-repo dispatch PAT WORKFLOW_DISPATCH_ACTIONS_TOKEN into more steps than strictly need it — including a third-party action — so a step compromise could exfiltrate a token that can dispatch workflows across other percy/* repos.

The issue_comment trigger intent, the author-permission guard (write/admin collaborators only), and the regression-trigger flow are all unchanged.

Actions SHA-pinned (verified)

All third-party action uses: are pinned to full 40-char commit SHAs with a trailing # vX.Y.Z comment. Each tag was re-resolved live against the GitHub API for this PR and confirmed correct (already pinned by an earlier hardening pass; no SHA changed):

Action Version Commit SHA
actions/github-script v4.1.0 f891eff65186019cbb3f7190c4590bc0a1b76fbc
xt0rted/pull-request-comment-branch v3.0.0 e8b8daa837e8ea7331c0003c9c316a64c6d8b0b1
actions-ecosystem/action-regex-match v2.0.2 9e6c4fb3d5e898f505be7a1fb6e7b0a278f6665b
Tiryoh/gha-jobid-action v1.4.0 be260d8673c9211a84cdcf37794ebd654ba81eef
winterjung/split v2.1.0 7f51d99e7cc1f147f6f99be75acf5e641930af88
convictional/trigger-workflow-and-wait v1.6.5 f69fa9eedd3c62a599220f4d5745230e237904be

Permissions block

Top-level permissions: contents: read (already present). The regression job keeps its least-privilege grant and adds actions: read so the built-in GITHUB_TOKEN can read this run's job metadata:

permissions:
  contents: read
  pull-requests: read
  statuses: write
  actions: read   # added

How the token injection was narrowed

WORKFLOW_DISPATCH_ACTIONS_TOKEN is now injected into exactly one step — the only one that strictly requires it:

  • convictional/trigger-workflow-and-wait — keeps the PAT. It dispatches test.yml in a different percy/* repo, which the built-in GITHUB_TOKEN cannot do.
  • Tiryoh/gha-jobid-action (third-party) — switched to ${{ github.token }}. It only reads this run's job metadata on percy/cli; the new actions: read grant covers it. The cross-repo PAT is no longer handed to a third-party action.
  • Both actions/github-script commit-status steps — switched to ${{ github.token }}. They only write commit statuses on percy/cli, covered by the existing job-level statuses: write.

No workflow/job-level env exposed the token; the over-exposure was per-step with: inputs, which is what this PR narrows.

🤖 Generated with Claude Code

… (PER-8610)

F-012 (CWE-284/CWE-269): the issue_comment-triggered SDK Regression
workflow injects the cross-repo WORKFLOW_DISPATCH_ACTIONS_TOKEN PAT into
steps that do not need it, including a third-party action. Scope the PAT
to only the single step that strictly requires cross-repo dispatch:

- Tiryoh/gha-jobid-action (third-party) now uses the built-in GITHUB_TOKEN
  with a new job-level `actions: read` grant (it only reads this run's
  job metadata on percy/cli).
- Both actions/github-script commit-status steps now use GITHUB_TOKEN,
  covered by the existing job-level `statuses: write`.
- convictional/trigger-workflow-and-wait keeps the PAT — it is the only
  step that dispatches test.yml in another percy repo, which GITHUB_TOKEN
  cannot do.

All third-party action SHA pins were re-resolved live against the GitHub
API and confirmed correct (unchanged). issue_comment trigger, the
author-permission (write/admin) guard, and the regression flow are
unchanged.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@Shivanshu-07 Shivanshu-07 requested a review from a team as a code owner July 6, 2026 05:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant