Skip to content

ci: PR tagging fixes#8

Merged
jescalada merged 4 commits intomainfrom
1517-gitlabflow-workflow-fixes
May 4, 2026
Merged

ci: PR tagging fixes#8
jescalada merged 4 commits intomainfrom
1517-gitlabflow-workflow-fixes

Conversation

@jescalada
Copy link
Copy Markdown
Owner

@jescalada jescalada commented May 3, 2026

No description provided.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 3, 2026

Hi @jescalada! Thanks for working on this PR.

I notice the description is empty - could you please add a description explaining what changes you've made and why? Even a brief summary of what CI/PR tagging fixes are included would be really helpful for reviewers.

Also, please link this PR to a relevant issue using keywords like "Fixes finos#123" or "Closes finos#456". If there isn't an existing issue, consider creating one first to document the problem this PR solves.

Thanks!

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 3, 2026

🔒 Automated Security Review

Security Review Summary

⚠️ MEDIUM RISK: Potential security concerns identified with pull_request_target usage.

Findings

1. Unsafe pull_request_target trigger in auto-label.yml

File: .github/workflows/auto-label.yml
Issue: The workflow uses pull_request_target which runs in the context of the target repository with write permissions, even for PRs from forks. This can be exploited if the action processes untrusted input from the PR.

Risk: If the release-drafter/release-drafter/autolabeler@v7 action processes PR content (titles, descriptions, file paths) without proper sanitization, malicious contributors could potentially execute code in the target repository's context.

Recommendation:

  • Consider using pull_request instead if the workflow doesn't need write permissions to the base repository
  • If pull_request_target is necessary, ensure the action is well-vetted and doesn't process untrusted user input unsafely
  • Pin to a specific commit hash instead of a tag for better supply chain security

2. Unpinned action version

File: .github/workflows/auto-label.yml
Issue: Using @v7 tag instead of a pinned commit hash makes the workflow vulnerable to tag poisoning attacks.

Recommendation: Pin to the specific commit hash (e.g., @139054aeaa9adc52ab36ddf67437541f039b88e2 as used in the removed code).

Positive Security Changes

  • The removal of the release-drafter step from pr-lint.yml actually improves security by eliminating duplicate pull_request_target usage with GITHUB_TOKEN.

@jescalada jescalada merged commit b19446a into main May 4, 2026
7 of 18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jescalada