Skip to content

fix(ci): drop privileged grants from /ok-to-test fork path#1067

Merged
mchmarny merged 1 commit into
mainfrom
fix/ok-to-test-privilege-drop
May 27, 2026
Merged

fix(ci): drop privileged grants from /ok-to-test fork path#1067
mchmarny merged 1 commit into
mainfrom
fix/ok-to-test-privilege-drop

Conversation

@mchmarny

Copy link
Copy Markdown
Member

Summary

Drop id-token: write and security-events: write from the /ok-to-testqualification.yaml call so fork-controlled local actions cannot mint OIDC tokens scoped to NVIDIA/aicr or write to code scanning.

Motivation / Context

ok-to-test.yaml reads pr.head.sha and passes it to qualification.yaml, which checks out that ref and then runs ./.github/actions/* local actions. Those paths resolve against the workspace, so once a maintainer types /ok-to-test, the fork PR author's action.yml content executes with whatever permissions the caller granted — currently id-token: write and security-events: write.

A "maintainer approved the run" gate isn't enough here: reviewers rarely audit .github/actions/** in a fork before greenlighting tests, and this is the standard pwn-request pattern GitHub's security lab warns about. The repo already uses the safer workflow_run + guarded-checkout pattern in on-push-comment.yaml.

Fixes: #1063
Related: N/A

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • Build/CI/tooling

Component(s) Affected

  • Other: .github/workflows/ok-to-test.yaml

Implementation Notes

Minimal-blast-radius fix. The called jobs already degrade gracefully without these tokens:

  • cli-e2e: only the Generate SLSA predicate step needs id-token: write, and it's already gated by if: github.event.pull_request.head.repo.fork == false. Chainsaw tests run fine without OIDC.
  • security-scan: the SARIF upload step has continue-on-error: true, so missing security-events: write results in a logged notice rather than a job failure.

A larger refactor (split workflows, or load actions from base ref) was considered but rejected as out of scope — withholding the grants closes the exploit at the caller layer without restructuring qualification.

Testing

make qualify is not affected by this change (workflow-only). The change will be exercised by the next fork PR + /ok-to-test cycle; the expected difference is a single ::notice:: line from the SARIF upload skip and no change to other jobs.

Risk Assessment

  • Low — Isolated workflow change, easy to revert.

Rollout notes: No migration. If a future qualification step legitimately needs OIDC or SARIF upload on fork PRs, the safer path is to move it behind a workflow_run-triggered job that does not check out fork code.

Checklist

  • Tests pass locally (make test with -race) — N/A, workflow-only change
  • Linter passes (make lint) — yamllint clean on the changed file
  • I did not skip/disable tests to make CI green
  • I added/updated tests for new functionality — N/A
  • I updated docs if user-facing behavior changed — N/A
  • Changes follow existing patterns in the codebase
  • Commits are cryptographically signed (git commit -S)

The reusable qualification workflow checks out the fork PR ref and then
runs local actions from ./.github/actions/*. Those paths resolve against
the workspace, so fork-controlled YAML executes inside a workflow the
caller had granted id-token: write and security-events: write. A
maintainer typing /ok-to-test would unwittingly hand a fork PR author
the ability to mint OIDC tokens scoped to NVIDIA/aicr and write to
code scanning.

Grant only actions:read + contents:read on the /ok-to-test → qualification
call. Existing fork-aware gating in cli-e2e (SLSA predicate gated to
non-fork) and security-scan (SARIF upload continue-on-error) means jobs
degrade gracefully without these tokens.

Fixes #1063
@coderabbitai

coderabbitai Bot commented May 27, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 3ef021db-ec66-4271-b526-c1d358c2e548

📥 Commits

Reviewing files that changed from the base of the PR and between 7adc586 and eb82279.

📒 Files selected for processing (1)
  • .github/workflows/ok-to-test.yaml

📝 Walkthrough

Walkthrough

This PR hardens the security posture of the /ok-to-test workflow by documenting and enforcing reduced permissions for fork-controlled qualification runs. The workflow's comments now explicitly state that elevated OIDC and security permissions are withheld for fork PRs, and the tests job's permissions passed to the called qualification.yaml workflow have been restricted to only actions: read and contents: read, removing the previously elevated id-token: write and security-events: write permissions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related issues

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the primary change: removing privileged grants from the /ok-to-test fork workflow path to prevent unauthorized privilege escalation.
Description check ✅ Passed The description is comprehensive and directly related to the changeset, explaining the security vulnerability being addressed, the implementation approach, and risk assessment.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/ok-to-test-privilege-drop

Comment @coderabbitai help to get the list of available commands and usage tips.

@mchmarny mchmarny merged commit 31c912a into main May 27, 2026
33 of 35 checks passed
@mchmarny mchmarny deleted the fix/ok-to-test-privilege-drop branch May 27, 2026 20:56
@github-actions

Copy link
Copy Markdown
Contributor

Coverage Report ✅

Metric Value
Coverage 77.0%
Threshold 75%
Status Pass
Coverage Badge
![Coverage](https://img.shields.io/badge/coverage-77.0%25-green)

No Go source files changed in this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

/ok-to-test checks out fork PR refs before running local actions in a privileged workflow

2 participants