ci(security): add-to-project uses pull_request, tolerates missing App#132
ci(security): add-to-project uses pull_request, tolerates missing App#132
Conversation
After the repo transfer from zackees/fbuild to FastLED/fbuild, the "FastLED Project Sync" GitHub App isn't installed on the new org, so every PR and issue event was failing at the App token step: Failed to create token for "FastLED": Not Found url: https://api.github.com/users/FastLED/installation, status: 404 Mark the token step as continue-on-error and gate the downstream add-to-project step on its outcome. Emits a warning annotation pointing at the org Installations page so the App can be reinstalled later. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 51 minutes and 10 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…request pull_request_target runs with base-repo secrets (PROJECT_APP_PRIVATE_KEY) against fork-authored metadata — a known exfiltration vector even for workflows that don't check out code. Fork PRs will no longer be auto-added to the project (they run without secrets under pull_request), but that is the intended safety trade-off. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
zackees
changed the title
1 participant
Summary
Two related fixes to the
add-to-projectworkflow:1. Security:
pull_request_target→pull_requestpull_request_targetruns in the base repo's context with access to secrets (PROJECT_APP_PRIVATE_KEY) but uses the PR's metadata. That's an exfiltration vector even when no code is checked out — malicious fork PRs could coerceactions/add-to-projectoractions/create-github-app-tokeninputs in ways that leak the token. Switching topull_requestmeans fork PRs run without secrets (and therefore won't be auto-added) — an intentional trade-off for safety.2. Tolerate missing GitHub App installation
After the repo transfer from
zackees/fbuildtoFastLED/fbuild, the FastLED Project Sync App is not installed on the new org. Every event was failing at the token step:continue-on-erroron the token step + gate the "Add to project" step on its outcome, plus a::warning::annotation pointing at the org Installations page. (Re-installing the App is still a separate admin step to restore functionality.)Test plan
add-to-projectas failingFastLED Project SyncApp on the FastLED org to restore auto-add🤖 Generated with Claude Code