From b175c7172719f857608c5247515133f941f657cb Mon Sep 17 00:00:00 2001 From: e271828- Date: Sun, 1 Mar 2026 22:49:54 -0500 Subject: [PATCH 1/5] Harden external PR workflows against token abuse --- .github/workflows/e2e-external-phase-1.yml | 5 ++++- .github/workflows/e2e-external-phase-2.yml | 4 ---- .github/workflows/e2e-private-link-in-pr.yml | 8 ++++++++ 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/.github/workflows/e2e-external-phase-1.yml b/.github/workflows/e2e-external-phase-1.yml index 0e0f6020..d4b80fec 100644 --- a/.github/workflows/e2e-external-phase-1.yml +++ b/.github/workflows/e2e-external-phase-1.yml @@ -10,7 +10,10 @@ jobs: # If reviewed by a repo(/org) owner if: | github.event.pull_request.author_association != 'MEMBER' - && github.event.review.author_association == 'MEMBER' + && ( + contains(fromJson('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.review.author_association) + || contains(fromJson('["kieferro", "ewjoachim"]'), github.event.review.user.login) + ) && github.event.review.state == 'approved' && contains(github.event.review.body, '/e2e') runs-on: ubuntu-latest diff --git a/.github/workflows/e2e-external-phase-2.yml b/.github/workflows/e2e-external-phase-2.yml index a05f0300..5d917b90 100644 --- a/.github/workflows/e2e-external-phase-2.yml +++ b/.github/workflows/e2e-external-phase-2.yml @@ -83,10 +83,6 @@ jobs: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - # Important: use the commit that was reviewed. GitHub is making sure - # that this is race-condition-proof - ref: ${{ steps.extract_commit.outputs.COMMIT_ID }} - name: Install uv uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5.4.1 diff --git a/.github/workflows/e2e-private-link-in-pr.yml b/.github/workflows/e2e-private-link-in-pr.yml index dc30678f..457bdd6b 100644 --- a/.github/workflows/e2e-private-link-in-pr.yml +++ b/.github/workflows/e2e-private-link-in-pr.yml @@ -10,6 +10,10 @@ jobs: if: | github.event.issue.pull_request && contains(github.event.comment.body, '/invite') + && ( + contains(fromJson('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association) + || contains(fromJson('["kieferro", "ewjoachim"]'), github.event.comment.user.login) + ) runs-on: ubuntu-latest strategy: matrix: @@ -42,6 +46,10 @@ jobs: if: | github.event.issue.pull_request && contains(github.event.comment.body, '/invite') + && ( + contains(fromJson('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association) + || contains(fromJson('["kieferro", "ewjoachim"]'), github.event.comment.user.login) + ) runs-on: ubuntu-latest permissions: pull-requests: write From f349c71bbb51e0364cfac6f2d341140a26943f33 Mon Sep 17 00:00:00 2001 From: e271828- Date: Sun, 1 Mar 2026 22:51:42 -0500 Subject: [PATCH 2/5] Apply suggestion from @e271828- --- .github/workflows/e2e-external-phase-1.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/e2e-external-phase-1.yml b/.github/workflows/e2e-external-phase-1.yml index d4b80fec..5305d277 100644 --- a/.github/workflows/e2e-external-phase-1.yml +++ b/.github/workflows/e2e-external-phase-1.yml @@ -12,7 +12,6 @@ jobs: github.event.pull_request.author_association != 'MEMBER' && ( contains(fromJson('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.review.author_association) - || contains(fromJson('["kieferro", "ewjoachim"]'), github.event.review.user.login) ) && github.event.review.state == 'approved' && contains(github.event.review.body, '/e2e') From 943718e32b1b8297c3a9fe1367714d910c75c963 Mon Sep 17 00:00:00 2001 From: e271828- Date: Sun, 1 Mar 2026 22:52:32 -0500 Subject: [PATCH 3/5] Apply suggestion from @e271828- --- .github/workflows/e2e-external-phase-1.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e-external-phase-1.yml b/.github/workflows/e2e-external-phase-1.yml index 5305d277..9dbfbd16 100644 --- a/.github/workflows/e2e-external-phase-1.yml +++ b/.github/workflows/e2e-external-phase-1.yml @@ -11,7 +11,7 @@ jobs: if: | github.event.pull_request.author_association != 'MEMBER' && ( - contains(fromJson('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.review.author_association) + contains(fromJson('["OWNER", "MEMBER"]'), github.event.review.author_association) ) && github.event.review.state == 'approved' && contains(github.event.review.body, '/e2e') From 978b2329cb611fc50e01a45d87a216aebc050df9 Mon Sep 17 00:00:00 2001 From: e271828- Date: Sun, 1 Mar 2026 22:53:11 -0500 Subject: [PATCH 4/5] Apply suggestion from @e271828- --- .github/workflows/e2e-private-link-in-pr.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/e2e-private-link-in-pr.yml b/.github/workflows/e2e-private-link-in-pr.yml index 457bdd6b..a3f1cb40 100644 --- a/.github/workflows/e2e-private-link-in-pr.yml +++ b/.github/workflows/e2e-private-link-in-pr.yml @@ -11,8 +11,7 @@ jobs: github.event.issue.pull_request && contains(github.event.comment.body, '/invite') && ( - contains(fromJson('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association) - || contains(fromJson('["kieferro", "ewjoachim"]'), github.event.comment.user.login) + contains(fromJson('["OWNER", "MEMBER"]'), github.event.comment.author_association) ) runs-on: ubuntu-latest strategy: From e2ebec787a51368996e3f325e2da7593593cc89f Mon Sep 17 00:00:00 2001 From: e271828- Date: Sun, 1 Mar 2026 22:54:32 -0500 Subject: [PATCH 5/5] Apply suggestion from @e271828- --- .github/workflows/e2e-private-link-in-pr.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/e2e-private-link-in-pr.yml b/.github/workflows/e2e-private-link-in-pr.yml index a3f1cb40..ea21dccb 100644 --- a/.github/workflows/e2e-private-link-in-pr.yml +++ b/.github/workflows/e2e-private-link-in-pr.yml @@ -46,8 +46,7 @@ jobs: github.event.issue.pull_request && contains(github.event.comment.body, '/invite') && ( - contains(fromJson('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association) - || contains(fromJson('["kieferro", "ewjoachim"]'), github.event.comment.user.login) + contains(fromJson('["OWNER", "MEMBER"]'), github.event.comment.author_association) ) runs-on: ubuntu-latest permissions: