fix: migrate secret and input interpolations to env: block pattern (PM-22118)#850
Merged
Merged
Conversation
Secret and input interpolation remediation for CI/CD workflows. See: https://shielded.atlassian.net/browse/PM-22118 Made-with: Cursor
Contributor
|
KICS version: v2.1.19
|
Replace direct ${{ secrets.* }} and ${{ github.event.inputs.* }}
interpolation in shell run: blocks with env: block indirection
across 6 workflow files:
- main.yml: M-F007 (docker login), M-F008 (earthly ARM64),
M-F010a (earthly AMD64)
- prs.yml: M-F009 (GHCR bearer token base64)
- continuous-integration-test.yml: M-F010b (earthly test)
- continuous-integration.yml: M-F010c (docker login)
- build-publish-contract-precompiles-image.yml: M-F010d (earthly)
- build-publish-contract-precompiles.yml: M-F011 (dispatch input
rust_version, 2 locations)
M-F012 (release-image.yml) confirmed as false positive — with:
blocks are safe. M-F014 (indexer submodule) requires separate
commit coordination.
Made-with: Cursor
Update indexer submodule pointer to include the M-F014 fix:
migrate ${{ github.event.inputs.node_tag }} direct interpolation
to env: block indirection in build-indexer-images.yaml.
Made-with: Cursor
Add change file for secret input interpolation remediation to satisfy the check-changes CI requirement. Made-with: Cursor
Resolve 4 conflicts in 3 files where main's refactoring (quoting style, export pattern) overlapped with PM-22118 env: block remediation. Keep env var references, adopt main's style changes. Made-with: Cursor
…les-image.yml File was deleted on main. M-F010d remediation for this file is no longer applicable — the vulnerable workflow no longer exists. Made-with: Cursor
Rebase the indexer fix commit onto current indexer main (e8ecb1a) so the build-indexer-images CI job has access to the indexer-api build target. Previous pointer was forked from an older indexer main that predated the indexer-api image addition. Made-with: Cursor
Rebase indexer PM-22118 fix onto the same base commit as main (3f0a8ef) to resolve justfile namespace mismatch. The previous pointer was rebased onto indexer HEAD (e8ecb1a) which changed docker image tags from ghcr.io/midnight-ntwrk/ to midnightntwrk/, causing the CI retagging step to fail. Made-with: Cursor
M-F014 (build-indexer-images.yaml) is in the indexer repo and out of scope for this midnight-node PR. Revert submodule to main's pointer. M-F014 remediation will be tracked as a separate indexer PR. Made-with: Cursor
12 tasks
gilescope
approved these changes
Mar 5, 2026
gilescope
pushed a commit
that referenced
this pull request
Apr 8, 2026
changed: - stack config accepts only Kubernetes and Docker executors -> see e2e-tests/docs/configure-stack.md on how to use it - saving files on remote host is done only via write_file fixture, which handles removing data after test completes - write_file fixture can write non-json files as well removed: - SSHRunner - binary-host dependency Refs: ETCM-9557
m2ux
added a commit
that referenced
this pull request
Apr 23, 2026
changed: - stack config accepts only Kubernetes and Docker executors -> see e2e-tests/docs/configure-stack.md on how to use it - saving files on remote host is done only via write_file fixture, which handles removing data after test completes - write_file fixture can write non-json files as well removed: - SSHRunner - binary-host dependency Refs: ETCM-9557 Signed-off-by: Mike Clay <mike.clay@shielded.io>
m2ux
added a commit
that referenced
this pull request
Apr 23, 2026
changed: - stack config accepts only Kubernetes and Docker executors -> see e2e-tests/docs/configure-stack.md on how to use it - saving files on remote host is done only via write_file fixture, which handles removing data after test completes - write_file fixture can write non-json files as well removed: - SSHRunner - binary-host dependency Refs: ETCM-9557 Signed-off-by: Mike Clay <mike.clay@shielded.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Remediate seven CI/CD security audit findings (M-F007 through M-F014) by migrating direct
${{ }}expression interpolation in GitHub Actions shellrun:blocks toenv:block indirection. Deep-dive analysis confirmed M-F012 as a false positive, refining the scope to 10 code changes across 7 files.🎫 Ticket 📐 Engineering 🧪 Test Plan
Motivation
Secrets and
workflow_dispatchinputs are interpolated directly into shellrun:blocks via${{ }}. This means values are pasted verbatim into shell commands before execution, creating shell metacharacter injection and expression injection vulnerabilities. Workflows withpackages:writepermissions make this a supply-chain risk.Each vulnerable interpolation is replaced with a two-part pattern: a step-level
env:block maps a descriptive variable name to the${{ }}expression, and therun:block references the value via"$VAR". This ensures values are always treated as data, never as executable code. All workflows behave identically — the change is invisible to end users.Changes
main.yml— 3 findings (M-F007, M-F008, M-F010a):REGISTRY_TOKENfor docker login,GITHUB_TOKENfor earthly (×2)prs.yml— 1 finding (M-F009):GHCR_SECRETfor GHCR bearer token base64continuous-integration-test.yml— 1 finding (M-F010b):GITHUB_TOKENfor earthly testcontinuous-integration.yml— 1 finding (M-F010c):REGISTRY_TOKENfor docker loginbuild-publish-contract-precompiles-image.yml— 1 finding (M-F010d):GH_TOKENfor earthlybuild-publish-contract-precompiles.yml— 2 findings (M-F011):RUST_VERSIONfor dispatch input (build + publish jobs)indexer/.github/workflows/build-indexer-images.yaml— 1 finding (M-F014):NODE_TAG_INPUTfor dispatch input (3 interpolation sites)Excluded: M-F012 (
release-image.yml) — confirmed false positive. Lines 87 and 265 arewith:blocks (safe action input context, not shell interpolation).Follow-up items (deferred to separate tickets under PM-22116):
release-image.ymlactionlintCI step for workflow validation📌 Submission Checklist
🔱 Fork Strategy
🗹 TODO before merging