New Workflow to CleanUp Plugins on PR Close #38
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| name: Cleanup PR Plugins | ||
|
|
||
| on: | ||
| pull_request: | ||
| types: [closed] | ||
|
|
||
| jobs: | ||
| cleanup: | ||
| runs-on: ubuntu-latest | ||
|
Check warning on line 9 in .github/workflows/pr-cleanup.yaml
|
||
| steps: | ||
| - name: Install & Configure SquaredUp CLI | ||
| env: | ||
| SQUAREDUP_API_KEY: ${{ secrets.SQUAREDUP_API_KEY }} | ||
| run: | | ||
| npm install -g @squaredup/cli | ||
| squaredup login --apiKey "$SQUAREDUP_API_KEY" | ||
|
|
||
| - name: Delete PR plugins | ||
| run: | | ||
| pr_number="${{ github.event.pull_request.number }}" | ||
| echo "Looking for plugins deployed by PR #${pr_number}..." | ||
|
|
||
| plugins=$(squaredup list --json) | ||
| matches=$(echo "$plugins" | jq -r --arg pr "-${pr_number}" '.[] | select(.displayName | endswith($pr)) | .id') | ||
|
|
||
| if [ -z "$matches" ]; then | ||
| echo "No plugins found for PR #${pr_number}." | ||
| exit 0 | ||
| fi | ||
|
|
||
| while IFS= read -r id; do | ||
| name=$(echo "$plugins" | jq -r --arg id "$id" '.[] | select(.id == $id) | .displayName') | ||
| echo "Deleting '${name}' (${id})..." | ||
| squaredup delete "${id}" | ||
| done <<< "$matches" | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🟡 The cleanup workflow has no explicit
permissionsblock, so it inherits the repository's default GITHUB_TOKEN permissions (which may include broad write access). Since this workflow only usesSQUAREDUP_API_KEYand never needs the GITHUB_TOKEN, addingpermissions: {}would enforce least privilege and reduce blast radius.Extended reasoning...
What the bug is: The
pr-cleanup.yamlworkflow omits an explicitpermissionsblock entirely. When nopermissionsblock is specified, a GitHub Actions workflow inherits the repository's default GITHUB_TOKEN permissions. Depending on organization and repository settings, those defaults can include write access tocontents,issues,pull-requests, and other scopes.The specific code path: Lines 7–9 define the
cleanupjob with onlyruns-on: ubuntu-latestand nopermissions:key. The companion workflowpr-run.yamlexplicitly declarespermissions: pull-requests: writebecause it needs to post PR comments — demonstrating the team is already aware of the principle of least privilege. The cleanup workflow simply lacks the analogous declaration.Why existing code doesn't prevent it: There is no
permissionskey at either the workflow level or the job level inpr-cleanup.yaml. GitHub's default behavior is to grant whatever the repository's default token permissions are, which is an implicit grant rather than an explicit, auditable one.Impact: The GITHUB_TOKEN is minted and injected into every workflow run automatically. Even though no step currently uses it, a token with broad write permissions exists in the runner environment. If the workflow is ever compromised (e.g., via a malicious dependency in the
@squaredup/clipackage), the token could be exfiltrated and used to push code, create releases, modify issues, or take other privileged actions against the repository. Settingpermissions: {}would make the minted token essentially useless, minimizing blast radius.How to fix it: Add an explicit empty permissions block to the job (or at the workflow level):
Step-by-step proof:
secrets.GITHUB_TOKENand theGITHUB_TOKENenvironment variable.permissions:block, the token's scopes are set by the repository's "Default permissions" setting (Settings → Actions → General). Many repos default to "Read and write permissions" for all scopes.pr-cleanup.yamlworkflow never calls any GitHub API and has noactions/checkoutstep — confirming it has zero need for any GITHUB_TOKEN scope.@squaredup/clicould readGITHUB_TOKENfrom the environment and use it to e.g. push a commit or create a release, since the token would carry write permissions.permissions: {}would cause GitHub to mint a token with no scopes, making it inert even if exfiltrated.