Skip to content

[plan] Document bash allowlist decision rule in github-agentic-workflows.md #27502

Closed
#27506
Closed
[plan] Document bash allowlist decision rule in github-agentic-workflows.md#27502
#27506
Assignees
pelikhancopilot-swe-agent
Labels
ai-generatedcookieIssue Monster Loves Cookies!plan
@github-actions

Description

@github-actions
github-actions
bot
opened on Apr 21, 2026

Objective

Add a clear decision tree/rule to .github/aw/github-agentic-workflows.md explaining when to use a narrow bash allowlist vs. ["*"] for the bash: tool configuration.

Context

From discussion #27482 (Agent Persona Exploration - 2026-04-21), inconsistency was observed:

  • PR-triggered workflows used narrow lists like [find, cat, grep, wc]
  • Scheduled/internal workflows sometimes used bash: ["*"]
  • No documented decision rule exists for when to restrict vs. open bash access

Approach

In .github/aw/github-agentic-workflows.md, under the bash: tool documentation (around line 529), add a decision rule section:

**Bash allowlist decision rule:**
- **PR-triggered workflows** processing **untrusted input** (issue/PR body, comment text, user-provided filenames): use a **narrow allowlist** (e.g., `[find, cat, grep, wc, jq]`). This limits the blast radius if an attacker embeds shell injection attempts in untrusted content.
- **Scheduled or `workflow_dispatch` workflows** with **no untrusted input** (only data from trusted APIs or internal state): `["*"]` is acceptable. These run on internal triggers and don't process attacker-controlled strings.
- **Rule of thumb**: If the workflow reads issue/PR bodies, comment text, or any user-provided strings → use a narrow list. If the workflow only reads GitHub API responses or artifacts → `["*"]` is acceptable.

Also add a short example showing a PR workflow with a narrow list vs. a scheduled workflow with ["*"].

Files to Modify

  • .github/aw/github-agentic-workflows.md — add decision rule near the bash: tool documentation

Acceptance Criteria

  • A clear decision rule is documented distinguishing PR-triggered from scheduled/dispatch workflows
  • The rule explains why narrow allowlists matter for untrusted input
  • At least one example shows a narrow allowlist for a PR-triggered workflow
  • At least one example shows ["*"] for a scheduled workflow

Generated by Plan Command for issue #discussion #27482 · ● 292.8K ·

  • expires on Apr 23, 2026, 5:16 AM UTC

Metadata

Metadata

Assignees

Labels

ai-generatedcookieIssue Monster Loves Cookies!plan

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions