ci: harden pr.yaml + chaos workflow#16
Conversation
|
Claude finished @bdimitrov-netzine's task in 1m 44s —— View job PR Review
All four changes are correct and well-motivated. A few observations worth noting before merge: Fix 1 — Trivy output cap (
|
Security Scan - CodeSeverity: HIGH, CRITICAL No vulnerabilities found View scan results |
Four fixes found in a workflow audit (all actionlint-clean):
- pr.yaml: add top-level `permissions: contents: read`. The fmt/tests
jobs declared none and inherited the repo-default token scope; every
other workflow already pins least privilege. The commenting jobs keep
their own pull-requests: write override.
- pr.yaml: add a concurrency group with cancel-in-progress so pushing/
rebasing a PR supersedes the in-flight run instead of stacking another
full build+test (the require-up-to-date-branch rule causes churn).
- pr.yaml: cap the Trivy comment body at `tail -c 60000`, matching the
forge step. A raw `cat` of a large HIGH/CRITICAL scan (>65536 chars)
would exceed GitHub's comment-body limit and fail the POST.
- nightly-chaos.yml: pass the workflow_dispatch `test` input via env
instead of templating ${{ }} into the run script, so it's treated as
data, not shell code. Left unquoted so empty still means "run all".
485196b to
ccee95e
Compare
|
Claude finished @bdimitrov-netzine's task in 1m 6s —— View job PR Review
All four changes are correct and well-motivated. Notes per fix: Fix 1 — Trivy output cap (
|
Findings from a full workflow audit (actionlint 1.7.12 reports the whole
.github/workflowstree clean; these are hardening/correctness gaps it doesn't flag).Fixes in this PR
1.
pr.yaml: cap the Trivy comment output — latent failureThe forge path caps its comment at
tail -c 60000(GitHub's 65536-char comment-body limit), but the Trivy path did a rawcat trivy-results.txt >> $GITHUB_OUTPUT. A PR with many HIGH/CRITICAL findings produces a table over the limit → the sticky-comment POST 422s and the step fails. Now capped the same way.2.
pr.yaml: add top-levelpermissions: contents: readThe
fmtandtestsjobs declared no permissions and inherited the repo-defaultGITHUB_TOKENscope. Every other workflow already pins least privilege. The two commenting jobs keep their ownpull-requests: writeoverride.3.
pr.yaml: addconcurrencywithcancel-in-progressNo cancellation meant every push/rebase stacked another full build+test run — amplified by the "require branch up-to-date" rule. Now a new push supersedes the in-flight run. (CodeQL already does this; the push/tag build workflows intentionally don't.)
4.
nightly-chaos.yml: route the dispatch input throughenv:... --test-threads 1 ${{ github.event.inputs.test }}templated a user input straight into the shell — a script-injection surface (low severity: dispatch requires write access, and it's the only workflow doing this vs the env-var pattern build-docker/promote-docker use). Now passed asenv: TESTand referenced as$TEST(data, not code). Left unquoted so empty still means "run all scenarios".Deliberately not changed (per review decision)
promote-docker.yml's "fail if target tag exists" guard stays commented (overwrite-on-re-promote kept).