fix(workflows): Resolve security vulnerabilities in GitHub Actions#3
fix(workflows): Resolve security vulnerabilities in GitHub Actions#3EthanThePhoenix38 merged 2 commits intomasterfrom
Conversation
- Change dependabot-auto-merge.yml from pull_request_target to pull_request for security - Update sync-fork.yml to abort on merge conflicts instead of auto-resolving - Change sync-fork.yml to use --force-with-lease for tags instead of --force - Pin pnpm version to 9.1.0 in security-dependency-scan-2x-daily.yml Co-authored-by: EthanThePhoenix38 <103653068+EthanThePhoenix38@users.noreply.github.com>
|
Important Review skippedBot user detected. To trigger a single review, invoke the You can disable this status message by setting the Comment |
There was a problem hiding this comment.
Pull request overview
This PR addresses critical security vulnerabilities in three GitHub Actions workflows by fixing permission issues, improving merge conflict handling, and ensuring reproducible builds.
Key Changes:
- Changed
dependabot-auto-merge.ymltrigger frompull_request_targettopull_requestto prevent malicious forks from executing code with elevated permissions - Rewrote
sync-fork.ymlto abort on merge conflicts rather than auto-resolving them, preventing silent overwrites of local changes - Pinned pnpm to version
9.1.0insecurity-dependency-scan-2x-daily.ymlfor reproducible builds
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
.github/workflows/dependabot-auto-merge.yml |
Changed from pull_request_target to pull_request trigger to remove elevated permissions for fork PRs |
.github/workflows/sync-fork.yml |
Complete rewrite to handle merge conflicts safely by aborting instead of auto-resolving, and uses --force-with-lease for safer pushes |
.github/workflows/security-dependency-scan-2x-daily.yml |
Pinned pnpm version to 9.1.0 for build reproducibility |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - cron: '0 0 * * *' # Minuit UTC | ||
| - cron: '0 12 * * *' # Midi UTC |
There was a problem hiding this comment.
The inline comments contain French words ("Minuit" and "Midi"). For consistency and accessibility in an English codebase, these should be in English ("Midnight UTC" and "Noon UTC").
| - cron: '0 0 * * *' # Minuit UTC | |
| - cron: '0 12 * * *' # Midi UTC | |
| - cron: '0 0 * * *' # Midnight UTC | |
| - cron: '0 12 * * *' # Noon UTC |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: fbe770d83e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| on: | ||
| pull_request_target: | ||
| pull_request: | ||
| types: [opened, synchronize, reopened] |
There was a problem hiding this comment.
Switching this workflow to on: pull_request means Dependabot-triggered runs execute with a read‑only GITHUB_TOKEN (GitHub restricts write perms for Dependabot PRs), so the later gh pr merge and gh pr review steps cannot write and the auto‑merge/approve behavior will fail for every Dependabot PR. If the security concern requires avoiding pull_request_target, you’ll need another write-capable mechanism (e.g., a separate workflow_run job) to preserve auto-merging.
Useful? React with 👍 / 👎.
Summary
Fixes critical security issues in three GitHub Actions workflows identified by automated review:
Security Fixes:
dependabot-auto-merge.yml: Changedpull_request_target→pull_requestto prevent malicious forks from executing code with write permissionssync-fork.yml: Abort on merge conflicts instead of auto-resolving with-X theirs(prevents silent overwrites of local changes); use--force-with-leasefor tags (prevents accidental data loss)security-dependency-scan-2x-daily.yml: Pin pnpm to9.1.0for reproducible buildsBefore (vulnerable):
After (secure):
Related Linear tickets, Github issues, and Community forum posts
Addresses automated security review feedback from Copilot PR reviewer.
Review / Merge checklist
release/backport(if the PR is an urgent fix that needs to be backported)💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.