Skip to content

Harden comment workflow artifact handling and permissions#6

Open
theinfosecguy wants to merge 1 commit intolinkedin:masterfrom
theinfosecguy:theinfosecguy/harden-comment-workflow-payload
Open

Harden comment workflow artifact handling and permissions#6
theinfosecguy wants to merge 1 commit intolinkedin:masterfrom
theinfosecguy:theinfosecguy/harden-comment-workflow-payload

Conversation

@theinfosecguy
Copy link
Copy Markdown

@theinfosecguy theinfosecguy commented Mar 27, 2026

Summary

  • Restrict the workflow_run comment job to successful runs whose head repository matches the base repository.
  • Remove unnecessary pull-requests: write permission and keep least-privilege issues: write for PR comment creation.
  • Validate comment.json schema and bounds before posting to avoid blindly trusting artifact content.

Testing Done

  • Reviewed workflow conditions and permission scope.
  • Verified payload validation enforces required fields and body limits.
  • CI run validation in upstream repository by maintainers.

ChrisCarini
ChrisCarini approved these changes Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@ChrisCarini ChrisCarini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Consider contributing this upstream, too!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ChrisCarini ChrisCarini ChrisCarini approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@theinfosecguy @ChrisCarini