Skip to content

fix: default sink-visibility to "public" when repository visibility check fails#44286

Merged
pelikhan merged 3 commits into
mainfrom
copilot/ensure-sink-visibility-default
Jul 8, 2026
Merged

fix: default sink-visibility to "public" when repository visibility check fails#44286
pelikhan merged 3 commits into
mainfrom
copilot/ensure-sink-visibility-default

Conversation

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

When the determine-automatic-lockdown step fails to fetch repository visibility, sink-visibility was set to "unknown" — an unrecognised value that guard policy enforcement could handle unpredictably.

Changes

  • determine_automatic_lockdown.cjs: Change visibility fallback in the catch block from "unknown""public", and update the warning message to name the default explicitly.
  • determine_automatic_lockdown.test.cjs: Update the API-failure test assertion to expect "public".

Rationale

"public" is the safe conservative choice: it forces min-integrity='approved' + repos='all', i.e. the same strict policy applied to public repos. Defaulting to an unknown string risks the guard treating it as unrecognised and applying no policy.

Copilot AI and others added 2 commits July 8, 2026 12:04
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
… fails

When the repository visibility API call fails in determine_automatic_lockdown.cjs,
default sink-visibility to 'public' instead of 'unknown'. This is the conservative
choice: treating an unknown repository as public applies the stricter guard policy
(min-integrity='approved'), preventing potential security gaps if the check fails.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title fix: use conservative 'public' default for sink-visibility when check fails fix: default sink-visibility to "public" when repository visibility check fails Jul 8, 2026
Copilot AI requested a review from pelikhan July 8, 2026 12:14
@pelikhan

pelikhan commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

@copilot revert lock.yml changes

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

@copilot revert lock.yml changes

Done — reverted all .lock.yml changes in commit revert: restore lock.yml files to pre-PR state.

@pelikhan pelikhan marked this pull request as ready for review July 8, 2026 12:27
Copilot AI review requested due to automatic review settings July 8, 2026 12:27
@pelikhan

pelikhan commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

@lpcox please review

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the determine-automatic-lockdown GitHub Actions step by ensuring sink-visibility (via the step’s visibility output) defaults to a recognized, conservative value when repository visibility cannot be fetched, preventing unpredictable guard policy enforcement.

Changes:

  • Default visibility output from "unknown" to "public" on error to force the strict/public guard policy path.
  • Update the warning message to explicitly call out the conservative default.
  • Adjust the API-failure unit test to expect "public".
Show a summary per file
File Description
actions/setup/js/determine_automatic_lockdown.cjs Changes error fallback to emit visibility=public and updates the warning message accordingly.
actions/setup/js/determine_automatic_lockdown.test.cjs Updates the API-failure test to assert the new visibility=public fallback.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 1
  • Review effort level: Low

core.setOutput("visibility", "unknown");
core.warning("Failed to determine repository visibility. Defaulting to guard policy min-integrity='approved', repos='all' for security.");
core.setOutput("visibility", "public");
core.warning("Failed to determine repository visibility. Defaulting to visibility='public' (conservative), min-integrity='approved', repos='all' for security.");
@pelikhan pelikhan merged commit 448f8ee into main Jul 8, 2026
15 checks passed
@pelikhan pelikhan deleted the copilot/ensure-sink-visibility-default branch July 8, 2026 12:37
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🎉 This pull request is included in a new release.

Release: v0.82.6

@github-actions github-actions Bot mentioned this pull request Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants