[REVIEW] pipeline-security: add workflow_run artifact handoff evidence gates

[shensz2017]

Skill Review ($25 Bounty)

Skill Reviewed

Skill name: pipeline-security
Skill path: skills/devsecops/pipeline-security/SKILL.md

Gap Found

The skill flags dangerous pull_request_target usage and generic artifact integrity gaps, but it does not explicitly review privileged workflow_run handoffs where a high-permission workflow downloads artifacts, caches, coverage reports, or build outputs created by a lower-trust PR/fork workflow.

Why It Matters

A successful upstream PR build does not prove that its artifacts are safe to execute or publish in a downstream workflow with write permissions, secrets, signing keys, package tokens, or deployment credentials. Without source repository, branch, actor, artifact digest, provenance, and trusted commit binding checks, PR-controlled artifacts can become a poisoned pipeline execution path even when pull_request_target is not used.

Evidence Pattern That Should Fail

• pull_request workflow from forks uploads dist artifact
• workflow_run publish workflow triggers on completed PR build
• downstream workflow has permissions: write-all and publishing/deployment secrets
• downstream job downloads the artifact from github.event.workflow_run.id
• downstream job executes ./dist/release.sh
• no trusted head repository/branch checks, digest verification, or provenance verification

Suggested Fix

Add evidence gates requiring:

• producer workflow, trigger, head repository, head SHA, artifact/cache identity, and consumer workflow mapping
• checks for trusted source repository, branch, actor/team, and event type before privileged consumption
• artifact digest, signature, SLSA provenance, or rebuild-from-trusted-source before executing/publishing artifacts
• cache key isolation so untrusted PRs cannot poison caches later restored by release/deploy workflows
• explicit report section for privileged workflow handoffs

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: GitHub Sponsors

[JamesJi79]

/attempt #2062

JamesJi79 will submit VALID GAP analysis for this [REVIEW] issue.

[JamesJi79]

/attempt #2062

VALID GAP — Workflow Run Artifact Handoff Evidence Gates

Why Valid (FP confirmed)

The pipeline-security skill flags dangerous pull_request_target usage and generic artifact integrity gaps, which are important. However, workflow_run event handoffs create an equally dangerous poisoned-pipeline path that the skill does not review. A PR workflow with limited permissions uploads artifacts, and a privileged workflow_run publish workflow downloads and executes those artifacts with write permissions, secrets, and deployment credentials. Without source repository, branch, actor, artifact digest, provenance, and trusted commit binding checks, PR-controlled artifacts can execute in a privileged context — even without pull_request_target.

Coverage Gaps

Gap 1 — Missing producer-consumer chain mapping — The skill should require explicit mapping of producer workflow (trigger, head repository, head SHA, artifact identity) to consumer workflow (event type, permissions level). Without this chain, a workflow_run publish workflow downloading artifacts from an unverified PR workflow is invisible during review. Need gate: Producer-consumer workflow chain mapping with trigger, repository, SHA, and artifact identity.

Gap 2 — No trusted source checks before privileged consumption — A workflow_run handler should verify head repository belongs to the trusted org, head branch is a protected/main branch, and the triggering actor is authorized before downloading or executing artifacts. The skill should require trusted source checks as a gate. Need gate: Trusted source verification — repository, branch, actor/team, and event type check before privileged artifact consumption.

Gap 3 — Cache poisoning from untrusted PR workflows — Untrusted PR workflows can set cache keys that are later restored by release or deploy workflows (cache key collision or partial key match). The skill should require cache key isolation so untrusted PR caches cannot poison privileged workflow restores. Need gate: Cache key isolation — untrusted PR workflows use namespaced cache keys that cannot collide with release/deploy workflow caches.

Suggested Gates

1. PIPE-HANDOFF-01: Producer-consumer workflow chain evidence — trigger, head repository, head SHA, artifact identity, and consumer workflow mapping.
2. PIPE-HANDOFF-02: Trusted source verification — head repository, branch, actor/team, and event type checks before privileged artifact download/execution.
3. PIPE-HANDOFF-03: Cache key namespace isolation so untrusted PR cache keys cannot poison release/deploy workflow cache restores.

[Dolpme]

Submitted implementation PR: #2214

Scope: adds privileged workflow_run handoff gates to pipeline-security for producer/consumer workflow mapping, trusted source checks, artifact identity and integrity evidence, and cache isolation across trust boundaries.

Validation: git diff --check; frontmatter required-field check; index.yaml referenced-file existence check; markdown fence-balance check; target marker check; prompt-injection workflow-equivalent pattern check.

Payment details can be provided privately after maintainer acceptance.

[JamesJi79]

✅ PR #2214 已合并，感谢 @Dolpme 的贡献！

合并前确认了验证项：

• git diff --check ✅
• frontmatter 字段检查 ✅
• index.yaml 文件存在性检查 ✅
• markdown fence 平衡检查 ✅
• 目标标记检查（workflow_run, producer/consumer mapping 等）✅

Bounty $25 已结，请提供支付信息。

[Dolpme]

Thanks for confirming. PayPal USD works for me. Please let me know the preferred private channel for payment details, and I will send them privately.