Skip to content

[task] Fix dangerous workflow_run trigger in ci-doctor.md (HIGH severity) #3982

Closed
#4015
Closed
[task] Fix dangerous workflow_run trigger in ci-doctor.md (HIGH severity)#3982
#4015
Assignees
copilot-swe-agent
Labels
ai-generatedtask
@github-actions

Description

@github-actions
github-actions
bot
opened on Nov 14, 2025

Objective

Replace the insecure workflow_run trigger in ci-doctor.md with a secure scheduled trigger that uses the GitHub API to check for failed workflow runs.

Context

The CI Doctor workflow currently uses the workflow_run trigger, which poses HIGH security risks:

  • Privilege Escalation Risk: Triggered workflows inherit permissions/secrets from the triggering workflow
  • Branch Protection Bypass: Can execute on protected branches via unprotected branches
  • Secret Exposure: Secrets available even when triggered by untrusted code
  • No Review Gate: Executes automatically without code review

This is finding #1 from discussion #3945 (Static Analysis Report - November 14, 2025).

Approach

  1. Replace workflow_run trigger with scheduled trigger (cron: '*/30 * * * *')
  2. Add workflow_dispatch for manual triggers
  3. Use actions/github-script@v7 to query GitHub API for workflow runs
  4. Filter for failures in the last 30 minutes to avoid duplicate processing
  5. Preserve all existing CI Doctor analysis logic

Files to Modify

  • .github/workflows/ci-doctor.md (line 47 - trigger section)
  • Test the compiled .github/workflows/ci-doctor.lock.yml after changes

Acceptance Criteria

  • workflow_run trigger removed from ci-doctor.md
  • Scheduled trigger (every 30 minutes) added
  • workflow_dispatch trigger added for manual execution
  • GitHub API call implemented to query workflow runs
  • Filtering logic for recent failures (last 30 minutes) implemented
  • All existing CI Doctor functionality preserved
  • Workflow compiles successfully with gh aw compile ci-doctor
  • Manual test confirms workflow detects failures correctly
  • Permissions updated to minimum required: actions: read, contents: read, issues: write

Security Impact

Fixes HIGH severity security vulnerability that could allow:

  • Arbitrary code execution with elevated permissions
  • Access to repository secrets
  • Modification of protected branches
  • Bypass of security controls

Estimated Effort

2-4 hours

AI generated by Plan Command for discussion #3945

Metadata

Metadata

Assignees

Labels

ai-generatedtask

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions