From b697bad84d5036a5c9d94049eb9f610774048d95 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 8 Jul 2026 09:32:28 +0000 Subject: [PATCH 1/3] Initial plan From 7a8f73fa7494f9f4b45ff5ba76984a498b9e540a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 8 Jul 2026 09:49:34 +0000 Subject: [PATCH 2/3] Replace deprecated needs.activation.outputs.{text,title,body} with steps.sanitized.outputs.* Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/cli/compile_security_benchmark_test.go | 2 +- scratchpad/github-actions-security-best-practices.md | 6 +++--- scratchpad/oh-my-code.md | 2 +- scratchpad/template-injection-prevention.md | 2 +- specs/security-architecture-spec-validation.md | 2 +- specs/security-architecture-spec.md | 10 +++++----- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/pkg/cli/compile_security_benchmark_test.go b/pkg/cli/compile_security_benchmark_test.go index 6790915ba23..bddf0c48d69 100644 --- a/pkg/cli/compile_security_benchmark_test.go +++ b/pkg/cli/compile_security_benchmark_test.go @@ -93,7 +93,7 @@ timeout-minutes: 10 Analyze the issue and provide feedback. -Issue: ${{ needs.activation.outputs.text }} +Issue: ${{ steps.sanitized.outputs.text }} ` testFile := filepath.Join(tmpDir, "test-workflow.md") diff --git a/scratchpad/github-actions-security-best-practices.md b/scratchpad/github-actions-security-best-practices.md index 48d47c5321b..670ebbff893 100644 --- a/scratchpad/github-actions-security-best-practices.md +++ b/scratchpad/github-actions-security-best-practices.md @@ -68,10 +68,10 @@ jobs: ```yaml # SECURE: Use sanitized context output # For GitHub Agentic Workflows -Analyze this content: "${{ needs.activation.outputs.text }}" +Analyze this content: "${{ steps.sanitized.outputs.text }}" ``` -**Why it's secure**: The `needs.activation.outputs.text` output is automatically sanitized: +**Why it's secure**: The `steps.sanitized.outputs.text` output is automatically sanitized: - @mentions neutralized (`` `@user` ``) - Bot triggers protected (`` `fixes #123` ``) - XML tags converted to safe format @@ -929,7 +929,7 @@ Use this checklist when creating or reviewing GitHub Actions workflows: - [ ] No untrusted input in `${{ }}` expressions - [ ] Untrusted data passed via environment variables - [ ] Safe context variables used where possible -- [ ] Sanitized context used (gh-aw: `needs.activation.outputs.text`) +- [ ] Sanitized context used (gh-aw: `steps.sanitized.outputs.text`) ### Shell Scripts - [ ] All variables quoted: `"$VAR"` diff --git a/scratchpad/oh-my-code.md b/scratchpad/oh-my-code.md index fbadd03a8e0..85a2358a5a0 100644 --- a/scratchpad/oh-my-code.md +++ b/scratchpad/oh-my-code.md @@ -586,7 +586,7 @@ on: | **Sandboxing** | GitHub Actions containers | Limited blast radius | | **SHA pinning** | `actions/checkout@abc123...` | Supply chain security | | **Expression limits** | Max 120 chars per expression | Prevent injection attacks | -| **Context sanitization** | `needs.activation.outputs.text` | Neutralized @mentions, safe XML | +| **Context sanitization** | `steps.sanitized.outputs.text` | Neutralized @mentions, safe XML | | **Audit logging** | GitHub Actions logs | Full traceability | **Risk Profile**: **Low trust, controlled power** - Suitable for team/org automation with strict security requirements diff --git a/scratchpad/template-injection-prevention.md b/scratchpad/template-injection-prevention.md index 65242008dc5..6ed58136582 100644 --- a/scratchpad/template-injection-prevention.md +++ b/scratchpad/template-injection-prevention.md @@ -111,7 +111,7 @@ When writing GitHub Actions workflows: - ❌ `${{ steps.*.outputs.* }}` (step outputs may contain user data) 2. **Use sanitized context instead:** - - ✅ `${{ needs.activation.outputs.text }}` (sanitized by gh-aw) + - ✅ `${{ steps.sanitized.outputs.text }}` (sanitized by gh-aw) 3. **Pass data through environment variables:** ```yaml diff --git a/specs/security-architecture-spec-validation.md b/specs/security-architecture-spec-validation.md index 574e41add9a..c3197fef45d 100644 --- a/specs/security-architecture-spec-validation.md +++ b/specs/security-architecture-spec-validation.md @@ -31,7 +31,7 @@ All major security architecture claims in the specification have been verified a **Specification Claim**: > **OI-01**: A conforming implementation MUST separate workflow execution into distinct job types: -> 1. **Activation Job**: Performs sanitization and produces `needs.activation.outputs.text` +> 1. **Activation Job**: Performs sanitization and produces `steps.sanitized.outputs.text` > 2. **Agent Job**: Executes AI agent with read-only permissions > 3. **Safe Output Jobs**: Perform validated GitHub API operations with write permissions diff --git a/specs/security-architecture-spec.md b/specs/security-architecture-spec.md index a43886a9850..aacb4e318f3 100644 --- a/specs/security-architecture-spec.md +++ b/specs/security-architecture-spec.md @@ -275,7 +275,7 @@ The input sanitization layer protects against template injection and prompt inje - Commit messages - User-provided input fields -**IS-02**: Sanitized content MUST be made available through a dedicated output variable (e.g., `needs.activation.outputs.text`). +**IS-02**: Sanitized content MUST be made available through a dedicated output variable (e.g., `steps.sanitized.outputs.text`). **IS-03**: Workflows MUST NOT use raw GitHub event context (e.g., `github.event.issue.title`) directly in AI agent prompts. @@ -388,7 +388,7 @@ The output isolation layer enforces separation between AI agent operations (read **OI-01**: A conforming implementation MUST separate workflow execution into distinct job types: -1. **Activation Job**: Performs sanitization and produces `needs.activation.outputs.text` +1. **Activation Job**: Performs sanitization and produces `steps.sanitized.outputs.text` 2. **Agent Job**: Executes AI agent with read-only permissions 3. **Safe Output Jobs**: Perform validated GitHub API operations with write permissions @@ -875,7 +875,7 @@ Compilation-time security checks validate workflow definitions before generating - `${{ github.actor }}` - `${{ github.repository }}` - `${{ github.run_id }}` -- `${{ needs.activation.outputs.text }}` (sanitized) +- `${{ steps.sanitized.outputs.text }}` (sanitized) **CS-05**: Expression safety violations MUST cause compilation failure with suggestions for safe alternatives. @@ -1735,7 +1735,7 @@ Use this checklist to verify that a compiled `.lock.yml` workflow file meets all - [ ] `activation` job runs the timestamp validation step (`check_workflow_timestamp_api.cjs`) - [ ] `activation` job runs the sanitize content step (`sanitize_content_core.cjs`) -- [ ] Agent prompts use `needs.activation.outputs.text` (sanitized), not raw `github.event.*` context +- [ ] Agent prompts use `steps.sanitized.outputs.text` (sanitized), not raw `github.event.*` context #### G.5 Threat Detection @@ -1781,7 +1781,7 @@ prompt: | **Do**: ```yaml prompt: | - Analyze this issue: ${{ needs.activation.outputs.text }} + Analyze this issue: ${{ steps.sanitized.outputs.text }} ``` #### BP-02: Enable Strict Mode for Production From aca29cd1476e04ab09a374dc5f61e12283a32ee8 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 8 Jul 2026 10:26:02 +0000 Subject: [PATCH 3/3] Fix contradictory guidance: clarify steps.sanitized.outputs.* is the safe exception Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- scratchpad/template-injection-prevention.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scratchpad/template-injection-prevention.md b/scratchpad/template-injection-prevention.md index 6ed58136582..334297cd2ad 100644 --- a/scratchpad/template-injection-prevention.md +++ b/scratchpad/template-injection-prevention.md @@ -108,10 +108,10 @@ When writing GitHub Actions workflows: - ❌ `${{ github.event.head_commit.message }}` - ❌ `${{ github.head_ref }}` (can be controlled by PR authors) - ❌ `${{ github.ref_name }}` (branch/tag names) - - ❌ `${{ steps.*.outputs.* }}` (step outputs may contain user data) + - ❌ `${{ steps.*.outputs.* }}` (generic step outputs may contain user data; exception: `steps.sanitized.outputs.*` below) 2. **Use sanitized context instead:** - - ✅ `${{ steps.sanitized.outputs.text }}` (sanitized by gh-aw) + - ✅ `${{ steps.sanitized.outputs.text }}` (sanitized by gh-aw — this is the explicit exception to the rule above) 3. **Pass data through environment variables:** ```yaml