Skip to content

fix(security): fetch gateway targets at runtime#96

Closed
Pigbibi wants to merge 2 commits into
mainfrom
codex/fetch-targets-api-20260713
Closed

fix(security): fetch gateway targets at runtime#96
Pigbibi wants to merge 2 commits into
mainfrom
codex/fetch-targets-api-20260713

Conversation

@Pigbibi

@Pigbibi Pigbibi commented Jul 12, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • fetch gateway target variables through the GitHub API at runtime instead of interpolating raw configuration into github-script inputs
  • grant only read access to Actions metadata for resolver and target jobs
  • preserve opaque digest binding and existing target masking

Validation

  • bash tests/test_install_2fa_bot_watcher.sh
  • bash tests/test_wait_for_ib_gateway_ready.sh
  • bash tests/test_workflow_shared_config.sh
  • bash tests/test_docker_compose_ports.sh
  • bash tests/test_gateway_recovery_scripts.sh
  • bash tests/test_run_override_api_config.sh
  • actionlint .github/workflows/*.yml
  • git diff --check

Co-Authored-By: Codex <noreply@openai.com>
@Pigbibi Pigbibi enabled auto-merge (squash) July 12, 2026 21:49
@github-actions

github-actions Bot commented Jul 12, 2026

Copy link
Copy Markdown

🤖 Codex PR Review

🚫 Merge blocked: 1 serious issue(s) found in high-risk files

🚫 Blocking Issues

These issues must be fixed before this PR can be merged:

1. 🟠 [HIGH] Bug in .github/workflows/capture-screen.yml

The resolver/target jobs now call github.rest.actions.getRepoVariable() and getOrgVariable(), but the job-level permissions blocks only grant actions: read and contents: read. GitHub's Variables REST endpoints are documented as requiring variable-read authorization, and once permissions is specified, every unspecified scope is forced to none. If GITHUB_TOKEN does not map actions: read to variable access here, every run of these workflows will fail at runtime with a 403/404 before the matrix is resolved. The same pattern is duplicated in diagnose.yml and remote-maintenance.yml. (line 42)

Suggestion: Do not rely on the job token for Variables API access unless you have verified the exact required scope for GITHUB_TOKEN in Actions. Either keep the non-API path, or switch to a token/mechanism that is explicitly allowed to read repository and organization variables, and add a coverage test that exercises the live resolver path instead of only grepping for the code snippet.


Review by Codex PR Review bot • PR

Co-Authored-By: Codex <noreply@openai.com>

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d8b72228ba

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/capture-screen.yml Outdated
with:
script: |
const raw = ${{ toJSON(vars.IB_GATEWAY_TARGETS_JSON) }};
const response = await github.rest.actions.getRepoVariable({

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Provide a Variables-capable token for getRepoVariable

In these workflow jobs the default github-script token is the job GITHUB_TOKEN; setting actions: read does not grant the repository “Variables” permission required by GET /repos/{owner}/{repo}/actions/variables/{name}. As soon as any capture/diagnose/maintenance run tries to resolve IB_GATEWAY_TARGETS_JSON, this call will fail with 403 instead of producing the matrix, so the workflows never reach the gateway steps; use vars safely or pass a GitHub App/PAT token with Variables read.

Useful? React with 👍 / 👎.

Comment thread .github/workflows/diagnose.yml Outdated
with:
script: |
const raw = ${{ toJSON(vars.IB_GATEWAY_TARGETS_JSON) }};
const response = await github.rest.actions.getRepoVariable({

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Preserve org-level IB_GATEWAY_TARGETS_JSON lookup

When IB_GATEWAY_TARGETS_JSON is defined as an organization variable shared with this repository, the previous vars.IB_GATEWAY_TARGETS_JSON lookup resolved it, but this REST call only fetches repository variables and will return not found before the matrix is built. This regresses org-level deployments even if the token permission issue is fixed; either keep using the vars context safely or fall back to the organization-variable endpoint.

Useful? React with 👍 / 👎.

@Pigbibi

Pigbibi commented Jul 12, 2026

Copy link
Copy Markdown
Collaborator Author

Closed after live read-only resolver validation confirmed GITHUB_TOKEN receives HTTP 403 for repository Variables API. A secure replacement requires a separately approved secret/token migration; no unsafe fallback will be merged.

@Pigbibi Pigbibi closed this Jul 12, 2026
auto-merge was automatically disabled July 12, 2026 22:01

Pull request was closed

@Pigbibi Pigbibi deleted the codex/fetch-targets-api-20260713 branch July 12, 2026 22:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant