More secure version of renovate-changelog.yml workflow#4453
Open
janhoy wants to merge 3 commits into
Open
Conversation
Splits renovate-changelog.yml into two separate workflows: - Stage 1 (pull_request): checks out BASE repo only, runs trusted Python script, uploads generated changelog + PR metadata as artifact. No secrets. - Stage 2 (workflow_run): downloads artifact, validates metadata, clones fork branch via SOLRBOT_GITHUB_TOKEN PAT, and pushes changelog file. This eliminates the pull_request_target security anti-pattern where fork code was checked out in a context with write access to repository secrets.
- Stage 2: replace source of metadata file with grep/cut parsing to avoid executing file content as shell code - Stage 2: use git credential store so SOLRBOT_GITHUB_TOKEN never appears in the command line or process listing - Stage 2: add head_repository check to job if-condition, preventing spurious artifact-not-found failures for non-solrbot PRs - Stage 2: add @ to HEAD_REF allowlist for Renovate branch names (e.g. renovate/node@lts) - Stage 2: improve commit message to include PR number - Both: add set -euo pipefail to multi-command run blocks
- grep lines use || true so missing keys fall through to the explicit
error message instead of aborting silently under set -euo pipefail
- Replace HEAD_REF allowlist regex with git check-ref-format --branch,
which rejects dangerous refspec chars (:, .., @{, trailing .lock)
while correctly accepting Renovate branch names like renovate/node@lts
- chmod 600 on ~/.git-credentials and remove it after push completes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
renovate-changelog.ymlworkflow usedpull_request_targetto auto-generatechangelog entries for Renovate (solrbot) PRs. This trigger is flagged as a security
anti-pattern: it runs with write access to
SOLRBOT_GITHUB_TOKENwhile also checkingout code from a fork branch.
We had no reason to believe the existing workflow is in insecure in practice, for our particular
use, but this is done to align with best practices.
This PR replaces existing
renovate-changelog.ymlworkflow with the two-stageworkflow_runpattern recommended by GitHub's security hardening guide:Stage 1 (
renovate-changelog-prepare.yml,pull_requesttrigger, no secrets):generate-renovate-changelog.pyscriptchangelog/unreleased/PR#NNN-*.ymland PR metadata as an artifactStage 2 (
renovate-changelog-push.yml,workflow_runtrigger, hasSOLRBOT_GITHUB_TOKEN):solrbot/apache-_-solr(preventsspurious runs on non-solrbot PRs)
grep/cut(neversource)HEAD_REPO,PR_NUMBER, andHEAD_REFbefore any write operationin the process list or command line
PR#NNN-*.ymlfiles (handles slug changes), copies the new file,commits and pushes
No changes to
.github/scripts/generate-renovate-changelog.py.Disclaimer: Developed by Claude code, reviewed by Github Copilot. Follows