Skip to content

[Safe Outputs Conformance] SEC-005: push_experiment_state.cjs supports target-repo without allowlist validation #30541

Closed
#30595
Closed
[Safe Outputs Conformance] SEC-005: push_experiment_state.cjs supports target-repo without allowlist validation#30541
#30595
Assignees
pelikhancopilot-swe-agent
Labels
automatedconformancehigh-prioritysafe-outputssecurity
@github-actions

Description

@github-actions
github-actions
bot
opened on May 6, 2026

Conformance Check Failure

Check ID: SEC-005
Severity: HIGH
Category: Security

Problem Description

The Safe Outputs specification requires that any handler supporting cross-repository operations must validate the target repository against an allowlist. push_experiment_state.cjs constructs and uses a targetRepo value to build an authenticated repoUrl and push commits, but contains no allowedRepos, validateTargetRepo, or checkAllowedRepo guard. Without an allowlist check, the push destination is not constrained beyond whatever context.repo resolves to at runtime.

Affected Components

  • File: actions/setup/js/push_experiment_state.cjs
  • Variable: targetRepo (line ~62) — built from context.repo.owner/context.repo.repo
  • Usage: Used to construct authenticated repoUrl passed to checkoutOrCreateBranch and pushSignedCommits
🔍 Current vs Expected Behavior

Current Behavior

const targetRepo = `${context.repo.owner}/${context.repo.repo}`;
// ... used to build repoUrl and push without any allowlist guard

The handler has no check like:

const allowedRepos = ['github/gh-aw'];
if (!allowedRepos.includes(targetRepo)) { core.setFailed(...); return; }

Expected Behavior

Per SEC-005, handlers that resolve or use a target repository must verify it against an allowlist before performing any write operations. Even if targetRepo is currently always the current repository, the specification requires an explicit allowlist check to prevent future regressions if the handler is extended to accept external input.

Remediation Steps

This task can be assigned to a Copilot coding agent with the following steps:

  1. In push_experiment_state.cjs, add an allowedRepos check immediately after targetRepo is computed (around line 62).
  2. Either hard-code the allowlist to the current repository ([context.repo.owner + '/' + context.repo.repo]) or read from an environment variable GH_AW_ALLOWED_TARGET_REPOS.
  3. If targetRepo is not in the allowlist, call core.setFailed(...) and return early.
  4. Name the guard function or variable so it matches one of allowedRepos, validateTargetRepo, or checkAllowedRepo for the conformance checker to detect.
  5. Re-run bash scripts/check-safe-outputs-conformance.sh to confirm SEC-005 passes.

Verification

After remediation, verify the fix by running:

bash scripts/check-safe-outputs-conformance.sh

The check SEC-005 should pass without errors.

References

  • Safe Outputs Specification: docs/src/content/docs/reference/safe-outputs-specification.md
  • Conformance Checker: scripts/check-safe-outputs-conformance.sh
  • Run ID: §25420004862
  • Date: 2026-05-06

Generated by Daily Safe Outputs Conformance Checker · ● 125.7K ·

  • expires on May 7, 2026, 6:33 AM UTC

Metadata

Metadata

Assignees

Labels

automatedconformancehigh-prioritysafe-outputssecurity

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions