fix: default sink-visibility to "public" when repository visibility check fails#44286
Merged
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
… fails When the repository visibility API call fails in determine_automatic_lockdown.cjs, default sink-visibility to 'public' instead of 'unknown'. This is the conservative choice: treating an unknown repository as public applies the stricter guard policy (min-integrity='approved'), preventing potential security gaps if the check fails. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
fix: use conservative 'public' default for sink-visibility when check fails
fix: default sink-visibility to "public" when repository visibility check fails
Jul 8, 2026
Copilot created this pull request from a session on behalf of
pelikhan
July 8, 2026 12:14
View session
Collaborator
|
@copilot revert lock.yml changes |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Done — reverted all |
Collaborator
|
@lpcox please review |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the determine-automatic-lockdown GitHub Actions step by ensuring sink-visibility (via the step’s visibility output) defaults to a recognized, conservative value when repository visibility cannot be fetched, preventing unpredictable guard policy enforcement.
Changes:
- Default
visibilityoutput from"unknown"to"public"on error to force the strict/public guard policy path. - Update the warning message to explicitly call out the conservative default.
- Adjust the API-failure unit test to expect
"public".
Show a summary per file
| File | Description |
|---|---|
| actions/setup/js/determine_automatic_lockdown.cjs | Changes error fallback to emit visibility=public and updates the warning message accordingly. |
| actions/setup/js/determine_automatic_lockdown.test.cjs | Updates the API-failure test to assert the new visibility=public fallback. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 1
- Review effort level: Low
| core.setOutput("visibility", "unknown"); | ||
| core.warning("Failed to determine repository visibility. Defaulting to guard policy min-integrity='approved', repos='all' for security."); | ||
| core.setOutput("visibility", "public"); | ||
| core.warning("Failed to determine repository visibility. Defaulting to visibility='public' (conservative), min-integrity='approved', repos='all' for security."); |
Contributor
|
🎉 This pull request is included in a new release. Release: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When the
determine-automatic-lockdownstep fails to fetch repository visibility,sink-visibilitywas set to"unknown"— an unrecognised value that guard policy enforcement could handle unpredictably.Changes
determine_automatic_lockdown.cjs: Changevisibilityfallback in thecatchblock from"unknown"→"public", and update the warning message to name the default explicitly.determine_automatic_lockdown.test.cjs: Update the API-failure test assertion to expect"public".Rationale
"public"is the safe conservative choice: it forcesmin-integrity='approved'+repos='all', i.e. the same strict policy applied to public repos. Defaulting to an unknown string risks the guard treating it as unrecognised and applying no policy.