Potential fix for code scanning alert no. 16: Checkout of untrusted code in trusted context

[InstaZDLL]

Potential fix for https://github.com/InstaZDLL/WaveFlow/security/code-scanning/16

General fix: do not run checkout/build of PR HEAD in a job that has write permissions. Use an unprivileged PR workflow to compute/validate outputs, then a separate privileged workflow_run workflow to apply trusted updates after validation.

Best fix for this file, without changing the intended behavior too much: convert this workflow from direct pull_request execution to workflow_run so this file is no longer the “untrusted checkout in trusted context” workflow. In this file, remove direct PR checkout/build execution trigger and gate execution on completion of a dedicated unprivileged workflow. (That unprivileged workflow should generate/verify what is needed; this file should only do privileged write actions after strict checks.)
Within the shown file region, the concrete safe change is:

• Replace the on: pull_request block with on: workflow_run (completed).
• Add a job-level if gate validating workflow_run.event == 'pull_request' and successful conclusion.
• Keep permissions minimized (contents: write only if still required for final push).

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Summary by CodeRabbit

• Chores
  • Improved release workflow automation to streamline the lockfile update process during releases.

[Copilot]

Pull request overview

This PR attempts to address a code-scanning alert ("Checkout of untrusted code in trusted context") by switching release-please-bump-lockfile.yml from a direct pull_request trigger to a workflow_run trigger that fires when the "Release Please" workflow completes, and replaces the head_ref/author gating with a check that the upstream run was a successful pull_request event.

Changes:

• Replace on: pull_request with on: workflow_run for the "Release Please" workflow.
• Replace the startsWith(github.head_ref, 'release-please--') + bot-author gate with workflow_run.event == 'pull_request' && conclusion == 'success'.
• Leave the rest of the job (checkout via github.head_ref, cargo check, push back to PR branch) unchanged.

Comments suppressed due to low confidence (1)

.github/workflows/release-please-bump-lockfile.yml:38

• In a workflow_run-triggered job, github.head_ref is not populated (it is only set for pull_request/pull_request_target events). Both the checkout ref: ${{ github.head_ref }} on line 44 and the git push origin "HEAD:${{ github.head_ref }}" on line 85 will therefore resolve to an empty string and fail (or checkout the wrong branch). Use github.event.workflow_run.head_branch (and github.event.workflow_run.head_repository.full_name) instead, and note that for a push-triggered upstream workflow this will be main, not a PR branch — meaning the strategy of amending into the release-please PR branch doesn't translate to a workflow_run on a push-driven workflow.

      github.event.workflow_run.event == 'pull_request' &&
      github.event.workflow_run.conclusion == 'success'

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[InstaZDLL]

@copilot apply changes based on this feedback

[Copilot]

Fixed in c7b9c9c. The security gates are now restored properly:

1. Correct event type: The if guard now checks github.event.workflow_run.event == 'push' (release-please.yml triggers on push to main, never pull_request) and adds name == 'Release Please' as extra defense-in-depth.

2. Branch-name + author gates restored: A new find-pr step queries gh pr list --author "github-actions[bot]" --limit 1 and filters with .headRefName | startswith("release-please--"). Only when a matching open bot-authored PR is found does the checkout and cargo check proceed — all subsequent steps gate on steps.find-pr.outputs.branch != ''.

3. github.head_ref fixed: That variable is empty in a workflow_run context. All checkout and push steps now use ${{ steps.find-pr.outputs.branch }} instead.

4. pull-requests: read added to allow gh pr list to run.

5. Comment block updated to accurately describe the new API-based validation flow.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: ca22a197-4a52-4828-85a0-3050a150824a

📥 Commits

Reviewing files that changed from the base of the PR and between 83b5fda and 04d5ace.

📒 Files selected for processing (1)

• .github/workflows/release-please-bump-lockfile.yml

---

📝 Walkthrough

Walkthrough

The workflow is restructured from a pull_request trigger to a workflow_run companion that fires after Release Please completes. It now discovers the active Release Please PR branch via GitHub CLI, checks out that branch, regenerates the Cargo.lock file, and pushes updates directly to the discovered branch instead of the GitHub context head_ref.

Changes

Release Please Lockfile Automation

Layer / File(s)	Summary
Workflow trigger and PR discovery mechanism .github/workflows/release-please-bump-lockfile.yml	Workflow trigger migrated from pull_request on main to workflow_run that fires after the Release Please workflow succeeds. Job gates on the upstream run result and name, then discovers the open Release Please PR using GitHub CLI by matching branch name pattern release-please-- and PR creator github-actions[bot]. Checkout, Rust toolchain, and cache steps now reference the dynamically discovered PR branch.
Lockfile refresh and branch update .github/workflows/release-please-bump-lockfile.yml	Cargo check is executed against src-tauri/Cargo.toml when the Release Please PR branch is found, regenerating the lockfile. The commit and push steps are gated on the successful discovery of the PR, and the final git push target is updated to use the discovered branch reference (steps.find-pr.outputs.branch) instead of github.head_ref.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A workflow's new dance, Release Please leads the way,
With a lock file refresh on discovery day,
No more waiting for pull requests to call,
The companion workflow handles it all! 🔐

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch alert-autofix-16

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

Warning

Billing warning: we have not been able to collect payment for this subscription for more than 72 hours. Please update the payment method or pay any pending invoices in Billing to avoid service interruption.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}