fix(security): prevent untrusted users from triggering TRL CI dispatch#45302
Merged
qgallouedec merged 1 commit intomainfrom Apr 7, 2026
Merged
fix(security): prevent untrusted users from triggering TRL CI dispatch#45302qgallouedec merged 1 commit intomainfrom
qgallouedec merged 1 commit intomainfrom
Conversation
The trust check used `exit 0` which only exits the shell step with success — the workflow continued to dispatch TRL CI for untrusted commenters. This allowed any GitHub user to execute arbitrary code on self-hosted GPU runners by commenting `/trl-ci` on any PR. Fix: change `exit 0` to `exit 1` (fail the step) AND add explicit `if: steps.trust.outputs.trusted == 'true'` guards on every subsequent step as defense in depth. Reported via HackerOne #3656858.
|
The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update. |
qgallouedec
approved these changes
Apr 7, 2026
Member
|
My bad, thanks for the fix |
bigshanedogg
pushed a commit
to bigshanedogg/transformers
that referenced
this pull request
Apr 9, 2026
huggingface#45302) The trust check used `exit 0` which only exits the shell step with success — the workflow continued to dispatch TRL CI for untrusted commenters. This allowed any GitHub user to execute arbitrary code on self-hosted GPU runners by commenting `/trl-ci` on any PR. Fix: change `exit 0` to `exit 1` (fail the step) AND add explicit `if: steps.trust.outputs.trusted == 'true'` guards on every subsequent step as defense in depth. Reported via HackerOne #3656858.
sirzechs66
pushed a commit
to sirzechs66/transformers
that referenced
this pull request
Apr 18, 2026
huggingface#45302) The trust check used `exit 0` which only exits the shell step with success — the workflow continued to dispatch TRL CI for untrusted commenters. This allowed any GitHub user to execute arbitrary code on self-hosted GPU runners by commenting `/trl-ci` on any PR. Fix: change `exit 0` to `exit 1` (fail the step) AND add explicit `if: steps.trust.outputs.trusted == 'true'` guards on every subsequent step as defense in depth. Reported via HackerOne #3656858.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Fix
Fixes a trust check bypass in
trl-ci-bot.ymlthat allowed any GitHub user to trigger TRL CI on self-hosted GPU runners by commenting/trl-cion any PR.The bug
The "Ignore untrusted commenter" step used
exit 0, which only exits the shell step with success. GitHub Actions interprets this as "step passed" and continues to the next steps — dispatching the TRL workflow, which runs attacker-controlled code on self-hosted runners with access to secrets.The fix
exit 0toexit 1— now fails the step and halts the jobif: steps.trust.outputs.trusted == 'true'on every subsequent step as defense in depthImpact
Reported via HackerOne. Please merge promptly and re-enable the workflow after merge.