Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| # Clean up caches associated with the PR | ||
| # -------------------------------------------------------------------- | ||
| - name: 🧹 Cleanup caches | ||
| id: clean | ||
| if: env.CLEAN_CACHE == 'true' | ||
| env: | ||
| PR_NUMBER: ${{ github.event.pull_request.number }} | ||
| PR_HEAD_REF: ${{ github.event.pull_request.head.ref }} | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| GH_REPO: ${{ github.repository }} | ||
| run: | | ||
| echo "🧹 Cleaning up caches for fork PR #$PR_NUMBER..." | ||
| echo "════════════════════════════════════════════════════════════════" | ||
|
|
||
| # Fetch the list of cache keys for this PR | ||
| echo "📋 Fetching cache list for PR #$PR_NUMBER..." | ||
|
|
||
| # Get all caches and filter for this PR (checking multiple possible refs) | ||
| allCaches=$(gh cache list --limit 100 --json id,key,ref) | ||
|
|
||
| # Debug: Show what refs we're looking for | ||
| echo "🔍 Looking for caches with refs:" | ||
| echo " - refs/pull/$PR_NUMBER/merge" | ||
| echo " - refs/pull/$PR_NUMBER/head" | ||
| echo " - refs/heads/$PR_HEAD_REF" | ||
|
|
||
| # Filter caches that belong to this PR (multiple possible refs) | ||
| cacheKeysForPR=$(echo "$allCaches" | jq -r --arg pr "$PR_NUMBER" --arg branch "$PR_HEAD_REF" \ | ||
| '.[] | select( | ||
| .ref == "refs/pull/\($pr)/merge" or | ||
| .ref == "refs/pull/\($pr)/head" or | ||
| .ref == "refs/heads/\($branch)" | ||
| ) | .id') | ||
|
|
There was a problem hiding this comment.
Fork PR cache cleanup can delete caches for arbitrary branches
The new fork-management workflow deletes caches for references matching refs/heads/$PR_HEAD_REF. For fork pull requests the head branch name is attacker-controlled, and this workflow runs under pull_request_target with write access to the base repository. A contributor can open a fork PR from a branch named main (or any protected branch name) and, when the PR is closed, this step will purge caches for that branch (gh cache delete against refs/heads/main). This gives untrusted forks a trivial way to wipe primary caches and degrade CI performance. The cache cleanup logic should only target refs/pull/<PR> entries or otherwise verify the branch belongs to the fork before deleting.
Useful? React with 👍 / 👎.
What Changed
Directory Synchronization Details
The following directories were synchronized:
.github/tech-conventions→.github/tech-conventions.github/ISSUE_TEMPLATE→.github/ISSUE_TEMPLATE.github/workflows→.github/workflows.github/actions→.github/actions.vscode→.vscodePerformance Metrics
Why It Was Necessary
This synchronization ensures the target repository stays up-to-date with the latest changes from the configured source repository. The sync operation identifies and applies only the necessary file changes while maintaining consistency across repositories.
Testing Performed
Impact / Risk