Skip to content

Fix issues blocking the DeployBlockerCash workflow from running #79400

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
thienlnam merged 1 commit into from
Jan 13, 2026
Merged

Fix issues blocking the DeployBlockerCash workflow from running #79400

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions .github/workflows/deployBlockerInvestigation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ on:

concurrency:
group: deploy-blocker-investigation-${{ github.event.issue.html_url || inputs.ISSUE_URL }}
cancel-in-progress: true
cancel-in-progress: false

jobs:
investigate:
Expand All @@ -32,10 +32,10 @@ jobs:
with:
fetch-depth: 1

# Validate that the user has write access to the repository
# workflow_dispatch already requires write access, but this makes it explicit
# and ensures the token works for team membership checks
# Only validate write access for manual dispatch - label events are already gated by GitHub's
# permission model (triage+ can add labels), and the workflow uses controlled tools
- name: Validate actor has write access
if: github.event_name == 'workflow_dispatch'
uses: ./.github/actions/composite/validateActor
Comment on lines +35 to 39
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Keep write-access gate for label-triggered runs

By gating validateActor only on workflow_dispatch, any user with triage permission who can add the DeployBlockerCash label can now trigger a workflow run that uses secrets.OS_BOTIFY_TOKEN with gh api access (see the Claude step in this same job). This is a permission escalation relative to the previous behavior: triage users (who do not have write/admin) can indirectly perform bot-privileged actions like commenting or label edits via the Claude agent. If a triage user adds the label, the workflow will run with those secrets and tools, which was previously blocked by the write check.

Useful? React with 👍 / 👎.

Copy link
Contributor Author

@thienlnam thienlnam Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is known and expected, the actions themselves are limited with scripts and if you are able to add the label you should be able to run the workflow

with:
REQUIRE_APP_DEPLOYER: false
Expand Down
Loading