Asim GitHub workflow pipeline #12973
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This reverts commit 2580ab5.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Introduces a security approval job to require a 'safe to test' label for forked pull requests before running ASIM Schema and Data testers. The workflow checks for race conditions (commits after label approval) and provides automated guidance comments for maintainers. Also updates trigger to use pull_request_target, adds concurrency control.
Comment on lines
29
to
+41
| jobs: | ||
| # Security gate: Fork PRs require manual approval via "safe to test" label | ||
| # Internal PRs (same repo) can proceed without labels | ||
| security-gate: | ||
| name: Security approval gate for fork PRs | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 5 | ||
| permissions: |
Check failure
Code scanning / CodeQL
Checkout of untrusted code in trusted context High
Update the workflow to use the most recent 'safe to test' label event by switching from 'head -1' to 'tail -1' when parsing the timeline. Also remove an unnecessary exit statement in the manual approval branch.
Comment on lines
170
to
196
| }); | ||
| // Check if we already have a guidance comment to avoid spam | ||
| const existingComment = comments.find(comment => | ||
| comment.body.includes('🔒 **Security Approval Required**') && | ||
| comment.user.type === 'Bot' | ||
| ); | ||
| let commentBody = ''; | ||
| // Check what type of approval is needed based on the step outputs | ||
| if ('${{ steps.check-approval.outputs.needs_reapproval }}' === 'true') { | ||
| commentBody = `🔒 **Security Re-approval Required** | ||
| ⚠️ **Race condition detected**: New commits were pushed after the \`safe to test\` label was added. | ||
| **For security, a maintainer must:** | ||
| 1. 📝 Review the latest commits carefully for any security concerns | ||
| 2. 🏷️ Remove the \`safe to test\` label | ||
| 3. 🏷️ Re-add the \`safe to test\` label if the new commits are safe | ||
| This ensures that all commits have been properly reviewed before testing with repository secrets. | ||
| --- | ||
| *This is an automated security check to prevent malicious code execution. Learn more about [GitHub Security Lab recommendations](https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/).*`; | ||
| } else { | ||
| commentBody = `🔒 **Security Approval Required** |
Check failure
Code scanning / CodeQL
Checkout of untrusted code in a privileged context Critical
Comment on lines
201
to
208
| 1. 📝 Review the code changes carefully | ||
| 2. 🏷️ Add the \`safe to test\` label if the changes are safe to execute | ||
| This protects against malicious code execution in fork contributions. | ||
| --- | ||
| *This is an automated security check to prevent malicious code execution. Learn more about [GitHub Security Lab recommendations](https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/).*`; | ||
| } |
Check failure
Code scanning / CodeQL
Checkout of untrusted code in trusted context High
Replaces use of repo.pushed_at with the actual PR head commit timestamp by fetching commit details via the GitHub API. Adds additional debug logging to the comment step for better traceability and updates log messages for comment creation and updates.
Update workflow to always create a new security guidance comment instead of updating or deleting previous ones. This preserves the audit trail by keeping all past comments for reference.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Required items, please complete
Change(s):
Reason for Change(s):
Version Updated:
Testing Completed:
Checked that the validations are passing and have addressed any issues that are present: