security: Ci/fix validate workflow#392
Conversation
There was a problem hiding this comment.
Pull request overview
This PR hardens CI by separating fork-controlled validation work from secret-dependent Cloudflare uploads, mitigating secret exfiltration risks stemming from pull_request_target running untrusted fork code.
Changes:
- Split the existing validation pipeline into a no-secrets
Validateworkflow (runs onpull_request_target) and a secret-bearingPost-Validateworkflow (runs onworkflow_run). - Pass PR metadata and (optionally) changed assets from
Validate→Post-Validatevia short-lived artifacts, and remove Cloudflare upload steps from the fork-processing workflow. - Pin GitHub Actions to SHAs, tighten fork checkout behavior (
head.sha,persist-credentials: false), and adjust the pnpm cache key to avoid nested-lockfile influence.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| .github/workflows/validate.yml | Removes secret-dependent upload logic, adds artifact packaging for PR info/assets, pins actions, and hardens fork checkout + cache keying. |
| .github/workflows/post-validate.yml | New workflow_run-driven uploader that downloads artifacts and performs Cloudflare uploads using base-branch scripts with secrets isolated. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
qtipbera
force-pushed
the
ci/fix-validate-workflow
branch
from
5dd73d3 to
2072379
Compare
|
Note: this PR supersedes #391 ( This PR is the superset: it includes all of #391's changes (SHA pinning, node24 action upgrades, |
rebasing 392 to main after merge of 391
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: qtipbera <194121515+qtipbera@users.noreply.github.com>
qtipbera
force-pushed
the
ci/fix-validate-workflow
branch
from
af5b450 to
9503eba
Compare
resolving conflict with main
|
@bearpong All checks green:
This is running against main's workflow (via Ready for review. |
This PR splits validate.yml into two workflows to fix a secret exfiltration
vulnerability in the pull_request_target trigger.
The problem
The current validate.yml runs on pull_request_target (which has access to
repo secrets) and checks out fork code into ./head. Any job in that workflow
can read secrets like CLOUDFLARE_ACCOUNT_ID, CLOUDFLARE_IMAGES_API_TOKEN,
and GITHUB_TOKEN. A malicious fork PR could modify validation scripts to
exfiltrate these secrets during CI. The workflow is currently disabled for
this reason.
The fix
validate.yml (pull_request_target, zero secrets):
against fork code with no secrets in scope
post-validate.yml (workflow_run, has Cloudflare secrets):
PR metadata is passed via artifact instead of workflow_run.pull_requests[]
because that array is empty for fork PRs (known GitHub limitation).
Additional fixes
Cache key glob: changed from
**/pnpm-lock.yamltopnpm-lock.yaml.The ** glob matched lockfiles in subdirectories, meaning a fork could
influence the cache key by adding a lockfile in a nested path.
Unused secrets removed: BERACHAIN_HUB_API_TOKEN and
BERACHAIN_HUB_API_BASE_URL removed from data-consistency. Confirmed
unused via source audit of @berachain/berajs@0.1.0 — getApolloClient
reads config from @berachain/config, not environment variables.
persist-credentials: false added to all fork checkout steps.
head.ref → head.sha on all fork checkouts to prevent TOCTOU race
conditions.
After merge
Re-enable the Validate workflow in the Actions UI.