fix(ci): repair invalid contribution_approved workflow + harden untrusted inputs#55
Merged
Merged
Conversation
…sted inputs
The 'Comment on failure' step used a double-quoted string literal ("Unknown error") inside a ${{ }} expression. GitHub Actions expressions only allow single-quoted literals, so the whole file was an invalid workflow — it startup-failed on every event and the manual-contribution approval path never ran.
Fixes:
- Move error_message into env: and default to 'Unknown error' in JS (fixes the syntax error AND removes the script-injection from #41).
- Move commit_message / contributor_name / contributor_email into env: and reference quoted shell vars (removes the command-injection sinks from #41 that go live once the workflow runs again).
- Add a git no-op guard so an empty diff no longer fails the run / posts a spurious failure comment.
- Add an explicit least-privilege permissions: block (contents+issues write).
Refs #41
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
contribution_approved.ymlwas an invalid workflow file and startup-failed on every event (visible as a string of failedpushruns going back to commits before this work). The cause is on the "Comment on failure" step:GitHub Actions expressions only allow single-quoted string literals; the double-quoted
"Unknown error"is a syntax error that invalidates the whole file. Because the file never loaded, the manual contribution approval path never ran (the "Just Paste Link" flow uses the separate, healthyauto_extract.yml, so only manualNew Hackathon/Close Hackathon→approvedsubmissions were affected).Fix
error_messageintoenv:and default to'Unknown error'in JS. This also removes the script-injection into thegithub-scriptbody flagged in [Critical] Security: GitHub Actions command & script injection via untrusted issue content #41.commit_message,contributor_name, andcontributor_emailnow flow throughenv:and are referenced as quoted shell vars instead of${{ }}interpolation intorun:.permissions:block added (contents: write,issues: write) — the file previously had none and fell back to the default token scopes.Verification
${{ }}.contribution_approvedstartup-failure for the commit, whereas prior branch pushes (with the broken file) did — confirming GitHub now accepts the file.Out of scope (tracked in #41)
auto_extract.ymlhas the analogouscommit_messageinjection on its own commit step. It's left untouched here to avoid risk to the primary, currently-working add-hackathon flow; it should get the sameenv:treatment as a follow-up.Refs #41
🤖 Generated with Claude Code