fix: gate /format command behind authorized-commenter check via slash…#250
Conversation
…-command-dispatch
|
Thank you for submitting a pull request. Please ensure your changes comply with the project's contribution guidelines and that all workflow checks pass successfully. Formatting and Branching
|
|
Hey @jagdish-15, kindly review this pr... |
|
/format |
1 similar comment
|
/format |
|
I don't think the above command will work right now, since this PR changes that very workflow. Could you format the files locally and push the changes instead? That way, I can merge this PR, test the updated workflow, and let you know if any amendments are required. If needed, you can then open a follow-up PR. |
|
/format |
|
I have successfully run Prettier and pushed the formatting fixes to this PR. Note for Contributors: Because this commit was pushed by a bot, GitHub will not automatically re-run the CI checks. To trigger them to pass, you must either:
|
|
@jagdish-15 the latest commit needs workflow approval to run CI (fork PR, GitHub requires manual approval for first-time/external runs). Ready for review whenever you have a chance. |
jagdish-15
added
level:advanced
2 participants
Description
Fixes a GitHub Actions security vulnerability where
/formatcould be triggered by any commenter, including a PR author on their own fork — letting untrusted code run inside a job holdingcontents: writeand a liveGITHUB_TOKEN("pwn request" pattern).Previously,
/formatwas handled directly from theissue_commentevent, allowing untrusted fork content to reach a workflow with write permissions. This change moves authorization intoslash-command-dispatch, ensuring only authorized commenters can dispatch the formatting workflow before any PR code is checked out or executed. This follows the maintainer's preferred approach of usingpeter-evans/slash-command-dispatchrather than adding manualauthor_associationchecks.Linked Issue
#236 (merging to test the workflow, follow-up PR possible)
Changes Made
.github/workflows/slash-command-dispatch.yml: new workflow, the only one now listening toissue_comment. Usespeter-evans/slash-command-dispatch@v5withpermission: write, so the commenter's repo access is verified before any dispatch event is created. No PR/fork code is ever checked out in this job..github/workflows/format-command.yml: now triggers only onrepository_dispatch(typeformat-command) instead ofissue_comment, so it's unreachable except via an authorized dispatch. Checkout, Prettier, and commit/push logic are unchanged from the original. Also added a failure-comment step so a broken Prettier run no longer fails silently./formaton a PR still works the same way for contributors.peter-evans/slash-command-dispatchrequires arepo-scoped Personal Access Token —GITHUB_TOKENcannot create dispatch events. Please add one as a repository secret namedPAT(Settings → Secrets and variables → Actions → New repository secret), or/formatwill not dispatch.Type of Change
Testing
Validated both workflow files with
actionlint(no errors) and cross-checked theclient_payloadfield paths (pull_request.head.repo.full_name,pull_request.head.ref,github.payload.issue.number) against the action's official documentation. Full end-to-end testing of the live dispatch requires thePATsecret to exist on this repo, which I don't have access to add, so I wasn't able to test the actual/formatflow against this repository. Happy to verify together once the secret is added.Checklist
npx prettier --write .before submittingfeature/*branch, not themainbranchScreenshots / Screen Recording
N/A — this is a CI/workflow-only change with no UI impact.