fix(ci): drop privileged grants from /ok-to-test fork path#1067
Conversation
The reusable qualification workflow checks out the fork PR ref and then runs local actions from ./.github/actions/*. Those paths resolve against the workspace, so fork-controlled YAML executes inside a workflow the caller had granted id-token: write and security-events: write. A maintainer typing /ok-to-test would unwittingly hand a fork PR author the ability to mint OIDC tokens scoped to NVIDIA/aicr and write to code scanning. Grant only actions:read + contents:read on the /ok-to-test → qualification call. Existing fork-aware gating in cli-e2e (SLSA predicate gated to non-fork) and security-scan (SARIF upload continue-on-error) means jobs degrade gracefully without these tokens. Fixes #1063
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Enterprise Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThis PR hardens the security posture of the Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Possibly related issues
🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Coverage Report ✅
Coverage BadgeNo Go source files changed in this PR. |
Summary
Drop
id-token: writeandsecurity-events: writefrom the/ok-to-test→qualification.yamlcall so fork-controlled local actions cannot mint OIDC tokens scoped toNVIDIA/aicror write to code scanning.Motivation / Context
ok-to-test.yamlreadspr.head.shaand passes it toqualification.yaml, which checks out that ref and then runs./.github/actions/*local actions. Those paths resolve against the workspace, so once a maintainer types/ok-to-test, the fork PR author'saction.ymlcontent executes with whatever permissions the caller granted — currentlyid-token: writeandsecurity-events: write.A "maintainer approved the run" gate isn't enough here: reviewers rarely audit
.github/actions/**in a fork before greenlighting tests, and this is the standard pwn-request pattern GitHub's security lab warns about. The repo already uses the saferworkflow_run+ guarded-checkout pattern inon-push-comment.yaml.Fixes: #1063
Related: N/A
Type of Change
Component(s) Affected
.github/workflows/ok-to-test.yamlImplementation Notes
Minimal-blast-radius fix. The called jobs already degrade gracefully without these tokens:
cli-e2e: only theGenerate SLSA predicatestep needsid-token: write, and it's already gated byif: github.event.pull_request.head.repo.fork == false. Chainsaw tests run fine without OIDC.security-scan: the SARIF upload step hascontinue-on-error: true, so missingsecurity-events: writeresults in a logged notice rather than a job failure.A larger refactor (split workflows, or load actions from base ref) was considered but rejected as out of scope — withholding the grants closes the exploit at the caller layer without restructuring qualification.
Testing
make qualifyis not affected by this change (workflow-only). The change will be exercised by the next fork PR +/ok-to-testcycle; the expected difference is a single::notice::line from the SARIF upload skip and no change to other jobs.Risk Assessment
Rollout notes: No migration. If a future qualification step legitimately needs OIDC or SARIF upload on fork PRs, the safer path is to move it behind a
workflow_run-triggered job that does not check out fork code.Checklist
make testwith-race) — N/A, workflow-only changemake lint) — yamllint clean on the changed filegit commit -S)