some testing

[Inverle]

ignore this PR

[Inverle]

/fix-all

[github-actions]

🤖 Command /fix-all received. Running…

[github-actions]

❌ Command /fix-all failed. Check the workflow run for details.

[Inverle]

oh ok

[Alkarex]

See example: #8081 (comment)

[Inverle]

/fix-all

[github-actions]

🤖 Command /fix-all received. Running…

[github-actions]

✅ Command /fix-all completed with no change.

[Inverle]

/fix-all

[github-actions]

🤖 Command /fix-all received. Running…

[github-actions]

✅ Command /fix-all completed with no change.

[Inverle]

/fix-all

[github-actions]

🤖 Command /fix-all received. Running…

[github-actions]

❌ Command /fix-all failed. Check the workflow run for details.

[Inverle]

/fix-all

[github-actions]

🤖 Command /fix-all received. Running…

[github-actions]

❌ Command /fix-all failed. Check the workflow run for details.

[Inverle]

Sorry for the spam

[Alkarex]

No worries, seems to work fine?

[Inverle]

/fix-all

[github-actions]

🤖 Command /fix-all received. Running…

[github-actions]

❌ Command /fix-all failed. Check the workflow run for details.

[Inverle]

/fix-all

[github-actions]

🤖 Command /fix-all received. Running…

[github-actions]

✅ Command /fix-all completed with no change.

[Inverle]

@Alkarex I don't have permissions to change labels but I was able to do that using the action. Seems like a vulnerability?

[Inverle]

relevant zizmor output:

root@vmware:/tmp/fff# zizmor ./test.yml
 INFO zizmor::registry: skipping impostor-commit: can't run without a GitHub API token
 INFO zizmor::registry: skipping ref-confusion: can't run without a GitHub API token
 INFO zizmor::registry: skipping known-vulnerable-actions: can't run without a GitHub API token
 INFO zizmor::registry: skipping stale-action-refs: can't run without a GitHub API token
 INFO zizmor::registry: skipping ref-version-mismatch: can't run without a GitHub API token
 INFO audit: zizmor: 🌈 completed ./test.yml
warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./test.yml:60:9
   |
60 |         - name: Checkout PR branch
   |  _________^
61 | |         uses: actions/checkout@v5
62 | |         with:
63 | |           token: ${{ secrets.GITHUB_TOKEN }}
64 | |           repository: ${{ fromJSON(steps.pr.outputs.result).repo.full_name }}
65 | |           ref: ${{ fromJSON(steps.pr.outputs.result).ref }}
   | |___________________________________________________________^ does not set persist-credentials: false
   |
   = note: audit confidence → Low
   = note: this finding has an auto-fix

[Inverle]

/fix-all

[github-actions]

🤖 Command /fix-all received. Running…

[github-actions]

✅ Command /fix-all completed with no change.

[Inverle]

I can also change title of #8093 to "pwn"

I think it's also possible to add commits to PRs but I already had trouble doing that (look at the spam before)

[Inverle]

Oh wait the action also has contents: write permission, meaning it's possible to make commits directly to the edge / latest branch too

I would try to do that but I don't know git very well[1], so best to fix this as soon as possible
see this: Inverle#2 (comment) (it did work on my fork)

[1]: this line is making it hard, it wasn't there before:

FreshRSS/.github/workflows/commands.yml

Line 64 in 458832c

repository: ${{ fromJSON(steps.pr.outputs.result).repo.full_name }}

[Alkarex]

Good catch. PR welcome if you can

[Inverle]

Note that whatever malicious commit would get added to latest/edge, it also gets published to Docker automatically...

contents: write permission allows for making releases as well:

https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-contents

[Alkarex]

I have temporarily disabled it, until it is fixed

[Inverle]

/fix-all (it's disabled)

[Inverle]

#8100