From 4ee09b5e15dfbbb7f8dbb9f7ba4b7062bb555c62 Mon Sep 17 00:00:00 2001 From: Ben Holmes Date: Thu, 5 Mar 2026 11:48:44 -0500 Subject: [PATCH] Replace permissive write token with read-only agent access and just-in-time token for applying writes --- .github/workflows/auto-fix-issue.yml | 6 ++++-- .github/workflows/daily-issue-summary.yml | 4 ++-- .github/workflows/fix-failing-checks.yml | 4 ++-- .github/workflows/respond-to-comment.yml | 6 ++++-- .github/workflows/review-pr.yml | 5 ++--- .github/workflows/suggest-review-fixes.yml | 3 ++- README.md | 8 ++++++-- consumer-workflows/review-pr.yml | 2 +- examples/auto-fix-issue.yml | 6 ++++-- examples/daily-issue-summary.yml | 4 ++-- examples/fix-failing-checks.yml | 4 ++-- examples/respond-to-comment.yml | 6 ++++-- examples/review-pr.yml | 7 +++---- examples/suggest-review-fixes.yml | 3 ++- 14 files changed, 40 insertions(+), 28 deletions(-) diff --git a/.github/workflows/auto-fix-issue.yml b/.github/workflows/auto-fix-issue.yml index 7086540..7b8e320 100644 --- a/.github/workflows/auto-fix-issue.yml +++ b/.github/workflows/auto-fix-issue.yml @@ -44,6 +44,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Construct Prompt id: prompt uses: actions/github-script@v7 @@ -90,12 +92,11 @@ jobs: 2. **Fix**: Implement the changes necessary to resolve the issue. 3. **Verify**: Ensure the code is correct and follows existing patterns. 4. **Output**: Do not output the diff. Provide a brief summary of what you changed. + 5. **Safety**: Do not run \`gh\` commands or call the GitHub API directly. This workflow applies GitHub writes in trusted post-processing steps. `; core.setOutput('prompt', prompt); - name: Run Oz Agent uses: warpdotdev/oz-agent-action@v1 - env: - GH_TOKEN: ${{ github.token }} id: agent with: prompt: ${{ steps.prompt.outputs.prompt }} @@ -128,6 +129,7 @@ jobs: git checkout -b "$BRANCH_NAME" git add . git commit -m "Fix for Issue #$ISSUE_NUMBER" + git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git" git push origin "$BRANCH_NAME" --force # Create PR diff --git a/.github/workflows/daily-issue-summary.yml b/.github/workflows/daily-issue-summary.yml index 5e63842..bc900e7 100644 --- a/.github/workflows/daily-issue-summary.yml +++ b/.github/workflows/daily-issue-summary.yml @@ -45,6 +45,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Fetch Issues id: fetch_issues env: @@ -119,8 +121,6 @@ jobs: - name: Run Oz Agent if: steps.fetch_issues.outputs.has_issues == 'true' uses: warpdotdev/oz-agent-action@v1 - env: - GH_TOKEN: ${{ github.token }} id: agent with: prompt: ${{ steps.prompt.outputs.prompt }} diff --git a/.github/workflows/fix-failing-checks.yml b/.github/workflows/fix-failing-checks.yml index 209263a..cdd43c0 100644 --- a/.github/workflows/fix-failing-checks.yml +++ b/.github/workflows/fix-failing-checks.yml @@ -50,6 +50,7 @@ jobs: with: ref: ${{ github.event.workflow_run.head_branch }} fetch-depth: 0 + persist-credentials: false - name: Get Failure Logs id: logs env: @@ -132,8 +133,6 @@ jobs: core.setOutput('prompt', prompt); - name: Run Oz Agent uses: warpdotdev/oz-agent-action@v1 - env: - GH_TOKEN: ${{ github.token }} id: agent with: prompt: ${{ steps.prompt.outputs.prompt }} @@ -177,6 +176,7 @@ jobs: git checkout -b "$FIX_BRANCH" git add . git commit -m "Fix failing checks for run $RUN_ID" + git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git" git push origin "$FIX_BRANCH" --force # Find associated PR diff --git a/.github/workflows/respond-to-comment.yml b/.github/workflows/respond-to-comment.yml index e514137..6e821ff 100644 --- a/.github/workflows/respond-to-comment.yml +++ b/.github/workflows/respond-to-comment.yml @@ -49,6 +49,8 @@ jobs: steps: - name: Checkout Action uses: actions/checkout@v4 + with: + persist-credentials: false - name: Acknowledge Comment env: GH_TOKEN: ${{ github.token }} @@ -154,13 +156,12 @@ jobs: 6. Format your response in Markdown. 7. Your output will be posted as a reply to the user. 8. Do not attempt to stage or commit changes. This happens automatically after you complete your response. + 9. Do not run \`gh\` commands or call the GitHub API directly. This workflow handles GitHub writes in trusted post-processing steps. `; core.setOutput('prompt', prompt); - name: Run Oz Agent uses: warpdotdev/oz-agent-action@v1 - env: - GH_TOKEN: ${{ github.token }} id: agent with: prompt: ${{ steps.prompt.outputs.prompt }} @@ -181,6 +182,7 @@ jobs: if [[ -n $(git status --porcelain) ]]; then git add . git commit -m "Oz Agent: Address comment" + git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git" git push else echo "No changes to commit." diff --git a/.github/workflows/review-pr.yml b/.github/workflows/review-pr.yml index 7f1a6bb..53649bf 100644 --- a/.github/workflows/review-pr.yml +++ b/.github/workflows/review-pr.yml @@ -38,10 +38,11 @@ jobs: permissions: contents: read pull-requests: write - issues: write steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Checkout PR env: GH_TOKEN: ${{ github.token }} @@ -257,8 +258,6 @@ jobs: core.setOutput('prompt', prompt); - name: Run Oz Agent Review uses: warpdotdev/oz-agent-action@v1 - env: - GH_TOKEN: ${{ github.token }} with: prompt: ${{ steps.prompt.outputs.prompt }} warp_api_key: ${{ secrets.WARP_API_KEY }} diff --git a/.github/workflows/suggest-review-fixes.yml b/.github/workflows/suggest-review-fixes.yml index bfaae4f..8557777 100644 --- a/.github/workflows/suggest-review-fixes.yml +++ b/.github/workflows/suggest-review-fixes.yml @@ -38,10 +38,11 @@ jobs: permissions: contents: read pull-requests: write - issues: write steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Fetch review comments uses: actions/github-script@v7 with: diff --git a/README.md b/README.md index 045ebe3..a65abe4 100644 --- a/README.md +++ b/README.md @@ -90,6 +90,10 @@ Each scenario is provided in three forms: and calls the reusable workflow via `jobs..uses`. These templates are intended to be copied into `.github/workflows/` in your own repository and customized. +Security note: in these examples, the Oz Agent step is intentionally run without direct GitHub +authentication, and all GitHub write operations are handled in explicit post-processing steps. This +reduces prompt-injection blast radius while preserving automation. + ### How to use the scenario workflows 1. Pick a scenario below (e.g., Respond to Comment, Auto Fix Issue). @@ -137,7 +141,7 @@ _Consumer Template_: [consumer-workflows/review-pr.yml](consumer-workflows/revie **Setup:** - Ensure `WARP_API_KEY` is set in Repository Secrets. -- The Agent needs read access to contents and write access to pull-requests. +- Workflow requires read access to contents and write access to pull-requests. **Expected Output:** @@ -230,7 +234,7 @@ style), the Agent replies with a code suggestion block containing the fix. **Setup:** - Ensure `WARP_API_KEY` is set in Repository Secrets. -- Action requires write permissions for `contents` and `pull-requests`. +- Workflow requires `contents: read` and `pull-requests: write`. **Expected Output:** diff --git a/consumer-workflows/review-pr.yml b/consumer-workflows/review-pr.yml index 6cecff1..e7293de 100644 --- a/consumer-workflows/review-pr.yml +++ b/consumer-workflows/review-pr.yml @@ -12,7 +12,7 @@ # # Setup: # - Ensure WARP_API_KEY is set in Repository Secrets. -# - The Agent needs read access to contents and write access to pull-requests. +# - Workflow requires read access to contents and write access to pull-requests. # # Expected Output: # - Inline comments on the PR diff highlighting potential bugs, security issues, or style improvements. diff --git a/examples/auto-fix-issue.yml b/examples/auto-fix-issue.yml index 9dde5f5..eee5297 100644 --- a/examples/auto-fix-issue.yml +++ b/examples/auto-fix-issue.yml @@ -36,6 +36,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Construct Prompt id: prompt @@ -83,13 +85,12 @@ jobs: 2. **Fix**: Implement the changes necessary to resolve the issue. 3. **Verify**: Ensure the code is correct and follows existing patterns. 4. **Output**: Do not output the diff. Provide a brief summary of what you changed. + 5. **Safety**: Do not run \`gh\` commands or call the GitHub API directly. This workflow applies GitHub writes in trusted post-processing steps. `; core.setOutput('prompt', prompt); - name: Run Oz Agent uses: warpdotdev/oz-agent-action@v1 - env: - GH_TOKEN: ${{ github.token }} id: agent with: prompt: ${{ steps.prompt.outputs.prompt }} @@ -120,6 +121,7 @@ jobs: git checkout -b "$BRANCH_NAME" git add . git commit -m "Fix for Issue #$ISSUE_NUMBER" + git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git" git push origin "$BRANCH_NAME" --force # Create PR diff --git a/examples/daily-issue-summary.yml b/examples/daily-issue-summary.yml index 4dd66f5..1165503 100644 --- a/examples/daily-issue-summary.yml +++ b/examples/daily-issue-summary.yml @@ -34,6 +34,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Fetch Issues id: fetch_issues @@ -111,8 +113,6 @@ jobs: - name: Run Oz Agent if: steps.fetch_issues.outputs.has_issues == 'true' uses: warpdotdev/oz-agent-action@v1 - env: - GH_TOKEN: ${{ github.token }} id: agent with: prompt: ${{ steps.prompt.outputs.prompt }} diff --git a/examples/fix-failing-checks.yml b/examples/fix-failing-checks.yml index 7d0e546..0b87e46 100644 --- a/examples/fix-failing-checks.yml +++ b/examples/fix-failing-checks.yml @@ -44,6 +44,7 @@ jobs: with: ref: ${{ github.event.workflow_run.head_branch }} fetch-depth: 0 + persist-credentials: false - name: Get Failure Logs id: logs @@ -129,8 +130,6 @@ jobs: - name: Run Oz Agent uses: warpdotdev/oz-agent-action@v1 - env: - GH_TOKEN: ${{ github.token }} id: agent with: prompt: ${{ steps.prompt.outputs.prompt }} @@ -172,6 +171,7 @@ jobs: git checkout -b "$FIX_BRANCH" git add . git commit -m "Fix failing checks for run $RUN_ID" + git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git" git push origin "$FIX_BRANCH" --force # Find associated PR diff --git a/examples/respond-to-comment.yml b/examples/respond-to-comment.yml index 23ab7ff..806c6c1 100644 --- a/examples/respond-to-comment.yml +++ b/examples/respond-to-comment.yml @@ -40,6 +40,8 @@ jobs: steps: - name: Checkout Action uses: actions/checkout@v4 + with: + persist-credentials: false - name: Acknowledge Comment env: @@ -148,14 +150,13 @@ jobs: 6. Format your response in Markdown. 7. Your output will be posted as a reply to the user. 8. Do not attempt to stage or commit changes. This happens automatically after you complete your response. + 9. Do not run \`gh\` commands or call the GitHub API directly. This workflow handles GitHub writes in trusted post-processing steps. `; core.setOutput('prompt', prompt); - name: Run Oz Agent uses: warpdotdev/oz-agent-action@v1 - env: - GH_TOKEN: ${{ github.token }} id: agent with: prompt: ${{ steps.prompt.outputs.prompt }} @@ -174,6 +175,7 @@ jobs: if [[ -n $(git status --porcelain) ]]; then git add . git commit -m "Oz Agent: Address comment" + git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git" git push else echo "No changes to commit." diff --git a/examples/review-pr.yml b/examples/review-pr.yml index 0fa40bf..d3e5e11 100644 --- a/examples/review-pr.yml +++ b/examples/review-pr.yml @@ -7,7 +7,7 @@ # # Setup: # - Ensure WARP_API_KEY is set in Repository Secrets. -# - The Agent needs read access to contents and write access to pull-requests. +# - Workflow requires read access to contents and write access to pull-requests. # # Expected Output: # - Inline comments on the PR diff highlighting potential bugs, security issues, or style improvements. @@ -28,10 +28,11 @@ jobs: permissions: contents: read pull-requests: write - issues: write steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Checkout PR env: @@ -250,8 +251,6 @@ jobs: - name: Run Oz Agent Review uses: warpdotdev/oz-agent-action@v1 - env: - GH_TOKEN: ${{ github.token }} with: prompt: ${{ steps.prompt.outputs.prompt }} warp_api_key: ${{ secrets.WARP_API_KEY }} diff --git a/examples/suggest-review-fixes.yml b/examples/suggest-review-fixes.yml index e3366d9..c0a1e58 100644 --- a/examples/suggest-review-fixes.yml +++ b/examples/suggest-review-fixes.yml @@ -25,10 +25,11 @@ jobs: permissions: contents: read pull-requests: write - issues: write steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Fetch review comments uses: actions/github-script@v7