Summary
Follow-up hardening for the github/review composite action, surfaced during the multi-model code review of #900. These are non-blocking reliability/security refinements to the action's binary-version resolution and hosted-credential write. None are regressions — they harden behavior that #900 introduces or that pre-dates it.
Items
-
Authenticate the release-version lookup and stop caching a floating latest.
- The fallback path (
github.action_ref is a branch/SHA/main, not a semver tag) calls api.github.com/.../releases/latest unauthenticated, which is IP-rate-limited to 60 req/hr — a busy org's runners can get throttled into the latest fallback.
- When the version resolves to
latest, it's used as a static cache key, so a single rate-limited/offline lookup pins whatever binary it grabbed and reuses it forever, silently ignoring later releases.
- Fix: pass
${{ github.token }} on the curl (60 → 1,000 req/hr) and gate the cache step with if: steps.version.outputs.version != 'latest'.
-
Keep the hosted Altimate API key out of the jq process argv.
- The credential write passes the key via
--arg key "$IN_ALT_KEY", placing it in argv (visible to other processes; printed verbatim if a user enables ACTIONS_STEP_DEBUG → set -x).
- Fix: read the key from the environment inside the
jq program ($ENV.IN_ALT_KEY).
Notes
Summary
Follow-up hardening for the
github/reviewcomposite action, surfaced during the multi-model code review of #900. These are non-blocking reliability/security refinements to the action's binary-version resolution and hosted-credential write. None are regressions — they harden behavior that #900 introduces or that pre-dates it.Items
Authenticate the release-version lookup and stop caching a floating
latest.github.action_refis a branch/SHA/main, not a semver tag) callsapi.github.com/.../releases/latestunauthenticated, which is IP-rate-limited to 60 req/hr — a busy org's runners can get throttled into thelatestfallback.latest, it's used as a static cache key, so a single rate-limited/offline lookup pins whatever binary it grabbed and reuses it forever, silently ignoring later releases.${{ github.token }}on the curl (60 → 1,000 req/hr) and gate the cache step withif: steps.version.outputs.version != 'latest'.Keep the hosted Altimate API key out of the
jqprocess argv.--arg key "$IN_ALT_KEY", placing it inargv(visible to other processes; printed verbatim if a user enablesACTIONS_STEP_DEBUG→set -x).jqprogram ($ENV.IN_ALT_KEY).Notes
@vX.Y.Zpath is unaffected — it never hits the release-API lookup.