Harden changelog-preview and downstream caller usage#795
Closed
geoffg-sentry wants to merge 1 commit into
Closed
Conversation
Comment on lines
-53
to
55
| # - No code from the PR is ever executed | ||
| # | ||
| # SECURITY NOTES FOR CALLERS: | ||
| # Callers that invoke this workflow on pull_request_target are checking out | ||
| # attacker-controlled code and running Craft against it. To reduce blast | ||
| # radius, callers SHOULD: | ||
| # - Pin this workflow to a commit SHA, not a moving tag like @v2. | ||
| # - Grant only the minimum permissions shown above; never add | ||
| # `contents: write` or other scopes to this job. | ||
| # - Be aware that Craft reads `.craft.env` from the config-file directory | ||
| # and copies its keys into the environment; hardening for that case is | ||
| # tracked separately. | ||
| workflow_call: |
There was a problem hiding this comment.
Bug: The comment input was removed from workflow_call.inputs, breaking downstream callers that pass comment: false.
Severity: HIGH
Suggested Fix
Either keep the comment input declared in workflow_call.inputs (even if the status check code path is removed, just ignore the input value and always use comment mode), or ensure all downstream callers are updated simultaneously to stop passing comment: false.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.
Location: .github/workflows/changelog-preview.yml#L53-L55
Potential issue: The `comment` boolean input was removed from the `workflow_call` inputs
definition (old lines 66-70), but the PR description states "workflow_call contract for
downstream callers is unchanged." GitHub Actions validates inputs passed to reusable
workflows against the declared `workflow_call.inputs`. Any downstream caller that passes
`comment: false` (as documented in `docs/src/content/docs/github-actions.md` lines 196
and 243) will fail with an "Unexpected value 'comment'" error when the workflow is
invoked. The entire status check mode code path was also removed, but callers
referencing `comment: false` won't even get to that point — the workflow call itself
will be rejected by GitHub Actions.
Did we get this right? 👍 / 👎 to inform future reviews.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Some hardening for the workflow