PR review feedback (axios/axios#10646) flagged that the GitHub Action
workflow grants pull-requests: write on all triggers, including push,
where it's not needed.
Task 8.1: Condition pull-requests: write on event type
What: The auths-verify-commits.yml workflow grants
pull-requests: write at job level for all triggers. On push events,
this is unnecessary and expands the token's privilege surface.
Why: A reviewer correctly pointed out this is the same class of
over-permissioning that contributed to the original attacks. The Auths
action only uses pull-requests: write when post-pr-comment: true
AND the trigger is a pull_request event.
Recommendation for the GitHub Action itself:
File to modify:
/Users/bordumb/workspace/repositories/auths-base/auths-verify-github-action/src/main.ts
The action should skip the PR comment step (and not require the token)
when the event is not a pull_request. Currently the action may already
do this, but the workflow template should make it explicit by splitting
into two jobs or using conditional permissions:
Recommended workflow pattern for consumers:
jobs:
verify:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: ${{ github.event_name == 'pull_request' && 'write' || 'none' }}File to also update (action README / examples):
/Users/bordumb/workspace/repositories/auths-base/auths-verify-github-action/README.md
Update all example workflows to use conditional permissions.
Task 8.2: Action should warn when post-pr-comment is true on non-PR events
What: If a user configures post-pr-comment: true but the action
runs on a push event, the action should log a warning rather than
silently skipping or failing.
File to modify:
/Users/bordumb/workspace/repositories/auths-base/auths-verify-github-action/src/main.ts
if (postPrComment && github.context.eventName !== 'pull_request') {
core.warning(
'post-pr-comment is enabled but this is not a pull_request event. ' +
'PR comment will be skipped. Consider conditioning pull-requests: write ' +
'permission on the event type.'
)
}
PR review feedback (axios/axios#10646) flagged that the GitHub Action
workflow grants
pull-requests: writeon all triggers, includingpush,where it's not needed.
Task 8.1: Condition
pull-requests: writeon event typeWhat: The
auths-verify-commits.ymlworkflow grantspull-requests: writeat job level for all triggers. Onpushevents,this is unnecessary and expands the token's privilege surface.
Why: A reviewer correctly pointed out this is the same class of
over-permissioning that contributed to the original attacks. The Auths
action only uses
pull-requests: writewhenpost-pr-comment: trueAND the trigger is a
pull_requestevent.Recommendation for the GitHub Action itself:
File to modify:
/Users/bordumb/workspace/repositories/auths-base/auths-verify-github-action/src/main.tsThe action should skip the PR comment step (and not require the token)
when the event is not a
pull_request. Currently the action may alreadydo this, but the workflow template should make it explicit by splitting
into two jobs or using conditional permissions:
Recommended workflow pattern for consumers:
File to also update (action README / examples):
/Users/bordumb/workspace/repositories/auths-base/auths-verify-github-action/README.mdUpdate all example workflows to use conditional permissions.
Task 8.2: Action should warn when post-pr-comment is true on non-PR events
What: If a user configures
post-pr-comment: truebut the actionruns on a
pushevent, the action should log a warning rather thansilently skipping or failing.
File to modify:
/Users/bordumb/workspace/repositories/auths-base/auths-verify-github-action/src/main.ts