Skip to content

ci: harden trusted workflow checkout and secrets handling #1269

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
marcgc21 merged 2 commits into from
Jan 8, 2026
Merged

ci: harden trusted workflow checkout and secrets handling #1269

marcgc21 merged 2 commits into from
Jan 8, 2026

Conversation

@tim48-robot
Copy link
Contributor

@tim48-robot tim48-robot commented Jan 4, 2026
edited
Loading

fixes:
image
image
image

@github-actions
Copy link

github-actions bot commented Jan 4, 2026

⚠️ PR Description Issues Detected

Please update the PR description to address these issues.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 5, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@marcgc21 marcgc21 requested a review from Copilot January 5, 2026 11:49
@marcgc21 marcgc21 self-requested a review January 5, 2026 11:49
Copilot AI reviewed Jan 5, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses critical security vulnerabilities in GitHub Actions workflows by removing an insecure trusted workflow and hardening the PR checks workflow to follow security best practices.

Key Changes:

  • Removed the trusted-playwright.yml workflow that had a severe security vulnerability exposing production secrets to untrusted PR code
  • Changed pr-checks.yml from pull_request_target to pull_request trigger to prevent secret exposure
  • Added explicit least-privilege permissions (contents: read) and fallback logic for both PR and push event handling

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.github/workflows/trusted-playwright.yml Deleted entire workflow that was checking out untrusted PR code while having access to production secrets (Firebase credentials) - this was a critical security vulnerability
.github/workflows/pr-checks.yml Changed from pull_request_target to pull_request trigger, added explicit contents: read permission, and added fallback logic for ref/repository to safely handle both PR and push events

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@marcgc21 marcgc21 merged commit 2aef8df into ruxailab:develop Jan 8, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@marcgc21 marcgc21 marcgc21 approved these changes

Assignees

No one assigned

Labels

ci/cd low-complexity size/S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tim48-robot @marcgc21