Skip to content

Fix issues reported by CodeQL#104

Merged
knoepfel merged 6 commits intomainfrom
maintenance/fix-codeql-reports
Nov 19, 2025
Merged

Fix issues reported by CodeQL#104
knoepfel merged 6 commits intomainfrom
maintenance/fix-codeql-reports

Conversation

@greenc-FNAL
Copy link
Copy Markdown
Contributor

@greenc-FNAL greenc-FNAL commented Nov 10, 2025
edited
Loading

  • Resolve a rash of missing-permissions issues called out by CodeQL

@greenc-FNAL greenc-FNAL force-pushed the maintenance/fix-codeql-reports branch 13 times, most recently from ed216f8 to 42ebc4e Compare November 13, 2025 22:15
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 13, 2025
View reviewed changes
@greenc-FNAL greenc-FNAL force-pushed the maintenance/fix-codeql-reports branch from 42ebc4e to 7ce4f6c Compare November 13, 2025 23:24
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 14, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 14, 2025
View reviewed changes
@greenc-FNAL greenc-FNAL force-pushed the maintenance/fix-codeql-reports branch 5 times, most recently from 8a8b8ad to d5712b1 Compare November 14, 2025 03:14
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Nov 14, 2025
edited
Loading

Review the full CodeQL report for details.

@greenc-FNAL greenc-FNAL force-pushed the maintenance/fix-codeql-reports branch 5 times, most recently from e9a54ff to e6754ad Compare November 18, 2025 23:39
greenc-FNAL and others added 2 commits November 19, 2025 13:42
@greenc-FNAL
Resolve a rash of missing-permissions issues called out by CodeQL
90fdf3c 
Shouldn't need package permissions for a public image

Try with top-level permissions block
@google-labs-jules @greenc-FNAL
maintenance: Update and pin third-party actions
9f54834 
Updates all third-party GitHub Actions used in the CI/CD workflows to their latest stable tagged versions. Each action is now pinned to a specific commit SHA to enhance security and prevent unexpected changes from future updates to the action tags. An inline comment has been added to each `uses:` line to indicate the corresponding version tag.
@greenc-FNAL greenc-FNAL force-pushed the maintenance/fix-codeql-reports branch from e6754ad to 56fcad9 Compare November 19, 2025 19:43
google-labs-jules bot and others added 3 commits November 19, 2025 15:14
@google-labs-jules @greenc-FNAL
fix(workflows): Restrict issue_comment triggers to trusted users
327ecc3 
This commit addresses the `actions/untrusted-checkout/high` CodeQL alert, which flags a security vulnerability where workflows triggered by `issue_comment` could check out and execute untrusted code from a pull request in a privileged context.

The following workflows have been updated to check that the comment author has a trusted association (`COLLABORATOR` or `OWNER`) before running jobs that check out external code:

- .github/workflows/clang-format-fix.yaml
- .github/workflows/clang-tidy-check.yaml
- .github/workflows/clang-tidy-fix.yaml
- .github/workflows/cmake-build.yaml
- .github/workflows/cmake-format-fix.yaml

This ensures that potentially malicious code from pull requests is not executed with write permissions to the repository simply by a user posting a comment.
@google-labs-jules @greenc-FNAL
chore(workflows): Pin reusable actions to main branch
551ffe2 
This commit updates all workflows that use local reusable actions to instead use the versions from the `main` branch of the `Framework-R-D/phlex` repository.

Pinning actions to a specific branch or commit is a security best practice that prevents pull requests from executing their own modified, potentially malicious versions of those actions. It also improves the consistency and reliability of the workflows.

The following workflows were updated:
- .github/workflows/clang-format-check.yaml
- .github/workflows/clang-tidy-check.yaml
- .github/workflows/clang-tidy-fix.yaml
- .github/workflows/cmake-build.yaml
- .github/workflows/cmake-format-check.yaml
- .github/workflows/codeql-analysis.yaml
- .github/workflows/coverage.yaml
@greenc-FNAL
Remove inapposite comment
9fffd2c
@greenc-FNAL greenc-FNAL marked this pull request as ready for review November 19, 2025 22:07
@knoepfel knoepfel merged commit 53e5ee7 into main Nov 19, 2025
20 checks passed
@greenc-FNAL greenc-FNAL deleted the maintenance/fix-codeql-reports branch November 25, 2025 17:44
greenc-FNAL added a commit that referenced this pull request Feb 13, 2026
@greenc-FNAL
fix: prevent code injection in handle-fix-commit action
e69de0f 
Resolve 6 medium-severity code injection alerts (CodeQL #107, #105, #104, #103, #102, #100)
in .github/actions/handle-fix-commit/action.yaml by moving user inputs to environment
variables before use in shell commands.

This follows GitHub Security Lab best practices for preventing code injection in
GitHub Actions workflows:
https://securitylab.github.com/research/github-actions-untrusted-input/

Changes:
- Added env: section mapping all user inputs to environment variables
- Updated shell script to use $VAR syntax instead of ${{ inputs.X }} syntax
- Properly quoted all variable references to prevent word splitting

Inputs affected:
- inputs.token → $TOKEN
- inputs.tool → $TOOL
- inputs.retry-attempts → $RETRY_ATTEMPTS
- inputs.pr-info-ref → $PR_REF
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@knoepfel knoepfel knoepfel approved these changes

@aolivier23 aolivier23 Awaiting requested review from aolivier23 aolivier23 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@greenc-FNAL @knoepfel