Skip to content

Harden auto-merge workflow against pull_request_target fork attacks (CI-001)#386

Merged
ydesgagn merged 1 commit into
masterfrom
fix/auto-merge-fork-guard
May 17, 2026
Merged

Harden auto-merge workflow against pull_request_target fork attacks (CI-001)#386
ydesgagn merged 1 commit into
masterfrom
fix/auto-merge-fork-guard

Conversation

@ydesgagn
Copy link
Copy Markdown
Contributor

@ydesgagn ydesgagn commented May 17, 2026
edited
Loading

Summary

The generated auto-merge.yml workflow triggers on pull_request_target with contents/issues/pull-requests: write and uses secrets.GH_PAT / secrets.GH_BOT_PAT. It is safe today, but is one PR-controlled-string interpolation away from a token-exfiltration path, and the bot PAT carries org-wide write rights. This patches the generator so every downstream repo gets the fix on regeneration.

Key changes:

  • lib/ghb/auto_merge_manager.rb: add a job-level fork guard (github.event.pull_request.head.repo.full_name == github.repository) so the privileged token never runs against fork-checked-out code; add a per-PR concurrency group with cancel-in-progress; write an # AUTO-GENERATED by github-build header so the file is no longer hand-edited.
  • spec/ghb/auto_merge_manager_spec.rb: update the draft-PR expectation and add coverage for the fork guard, the concurrency group, and the auto-generated header.

Addresses code-review finding CI-001 (Critical). Companion PR: Cloud-Officer/ci-actions#197 (consumes the regenerated workflow).

Types of changes

  • Bugfix (fixes an issue)
  • New feature (adds functionality)
  • Refactoring (improves code without changing functionality)
  • Breaking change (incompatible changes)
  • Build or security update (updates dependencies, libraries, or security patches)
  • Code style or documentation update (formatting, renaming, or documentation changes)
  • Other (please describe):

Checklist

  • Unit tests added to validate my fix/feature
  • I have manually tested my change
  • I did not add automation test. Why ?:
  • Database changes requiring migration with downtime or reprocessing of existing data
  • The SOUP file lists the risk Level, requirements and verification reasoning associated with each library
  • readme.md includes sections on introduction, installation, usage, and contributing
  • docs/architecture.md includes sections on the architecture diagram, software units, software of unknown provenance, critical algorithms and risk controls related to PII and security
  • Impact on PII, privacy regulations (CCPA/GDPR/PIPEDA), CIS benchmarks or security (availability/confidentiality/integrity); management must be notified

Further comments (if required)

Regenerating any consumer repo will rewrite its .github/workflows/auto-merge.yml with the fork guard, concurrency group, and AUTO-GENERATED header. Merge this PR before the companion Cloud-Officer/ci-actions#197 is regenerated so the committed workflow and the generator stay in sync.

@ydesgagn @claude
Harden auto-merge workflow against pull_request_target fork attacks
d6310b8 
The generated auto-merge workflow runs on pull_request_target with
contents/issues/pull-requests write and the GH_PAT/GH_BOT_PAT tokens.
Add a job-level guard so the privileged token never runs against code
from a fork, add a per-PR concurrency group to cancel superseded runs,
and stamp an AUTO-GENERATED header so the file is not hand-edited.

Addresses code-review finding CI-001.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@ydesgagn ydesgagn requested a review from a team as a code owner May 17, 2026 11:39
@ydesgagn ydesgagn mentioned this pull request May 17, 2026
Merged
15 tasks
@ydesgagn ydesgagn merged commit 7b1c08c into master May 17, 2026
16 checks passed
@ydesgagn ydesgagn deleted the fix/auto-merge-fork-guard branch May 17, 2026 11:51
ydesgagn added a commit to Cloud-Officer/ci-actions that referenced this pull request May 17, 2026
@ydesgagn @claude
Fix three critical code-review findings (#197)
df93bd6 
BUG-007/BUG-008/QUAL-020 (codedeploy/deploy): the monitor exited 0 on
timeout and treated blue/green "Ready" as terminal success, so failed or
in-flight deployments reported green. Now polls with set -euo pipefail,
treats only Succeeded as success, fails on Failed/Stopped and on timeout,
keeps polling through Ready, and the window is configurable via the new
monitor-timeout-minutes input (default 30).

TEST-001 (variables): the bats suite re-implemented production functions
instead of running them. variables.sh now defines all helpers up front
and guards its main body behind BASH_SOURCE==$0; the suite sources the
real script. All 65 tests pass against production code.

CI-001 (auto-merge.yml): regenerated from the patched github-build
generator - adds a fork guard, a per-PR concurrency group, and the
AUTO-GENERATED header. See Cloud-Officer/github-build#386.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cloudofficer-admin cloudofficer-admin cloudofficer-admin approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ydesgagn @cloudofficer-admin