加固 PR-Agent workflow 的 secrets 暴露面#276
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b7e9f4f545
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
H-Chris233
force-pushed
the
fix/issue-222-pr-agent-hardening
branch
from
b7e9f4f to
44f0ef0
Compare
PR Reviewer Guide 🔍(Review updated until commit bd4547b)Here are some key observations to aid the review process:
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 44f0ef0b0e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| ${{ | ||
| github.event.sender.type != 'Bot' && | ||
| ( | ||
| github.event_name == 'pull_request_target' || |
There was a problem hiding this comment.
For an external fork PR opened or synchronized via pull_request_target, this branch evaluates true before any repository-owner check, so the secrets-bearing PR-Agent job still runs automatically with OPENAI_KEY and write-scoped GITHUB_TOKEN. The trusted-member gate only applies to issue_comment, leaving the external-PR auto path that this hardening change says it removes; add a check such as comparing github.event.pull_request.head.repo.full_name with github.repository for this event.
Useful? React with 👍 / 👎.
The workflow must keep reviewing every PR and every pushed commit automatically, including fork PRs, so the hardening focuses on pinning the code that actually runs in the secrets-bearing job. The wrapper action commit still delegates to a mutable Docker tag, so the workflow now calls the PR-Agent container by immutable digest directly. Constraint: Maintainer preference is automatic PR-Agent coverage for each PR and synchronize event. Constraint: Issue Open-Less#222 requires removing mutable third-party execution refs from the secrets-bearing path. Rejected: Pin only the action repository commit | the wrapper Dockerfile still resolves pragent/pr-agent:github_action at runtime. Rejected: Require trusted comment triggers for fork PRs | too inconvenient because new commits would not be reviewed automatically. Confidence: medium Scope-risk: moderate Directive: If fork PR automation remains required, keep the runtime container digest-pinned and do not checkout PR head code in this workflow. Tested: Parsed .github/workflows/pr-agent.yml with PyYAML and asserted docker:// sha256 form; git diff --check; grep confirmed no action ref or github_action tag remains in the workflow. Not-tested: Live GitHub Actions execution or Docker Hub digest pull from this host. Related: Open-Less#222
H-Chris233
force-pushed
the
fix/issue-222-pr-agent-hardening
branch
from
44f0ef0 to
bd4547b
Compare
|
Persistent review updated to latest commit 44f0ef0 |
|
Persistent review updated to latest commit bd4547b |
1 participant
User description
变更
the-pr-agent/pr-agent@...wrapper action 运行 PR-Agent,改为直接使用 digest-pinned Docker action:docker://pragent/pr-agent@sha256:a0b36966ca3a197ca739fa1e65c16703076fc1c744cd423ca203b8c21707d71c。pull_request_target对所有 PR 的自动触发,包含外部 fork PR 和synchronize新 commit。issue_comment手动触发路径限制为 OWNER/MEMBER/COLLABORATOR,避免任意评论滥用带 secrets 的 job。影响
synchronize自动再次触发。OPENAI_KEY的pull_request_target路径;这是为了保持自动审查便利性而接受的剩余风险。验证
python - <<'PY' ... yaml.safe_load(...):workflow YAML 可解析,并断言uses为docker://...@sha256:形式。git diff --check:通过。grep确认 workflow 中无the-pr-agent/pr-agent@或pragent/pr-agent:github_action残留。Closes #222
PR Type
Bug fix, Enhancement
Description
Pin PR-Agent runtime container to an immutable Docker image digest (removes mutable action ref)
Restrict
issue_commenttrigger to OWNER/MEMBER/COLLABORATOR to prevent abuseUpdate workflow comments to document current security model and permissions
Diagram Walkthrough
flowchart LR A["pull_request_target (all PRs)"] -- "trigger" --> C["Job: pr_agent_job"] B["issue_comment (trusted members)"] -- "trigger" --> C C -- "runs" --> D["Pinned Docker image (digest)"]File Walkthrough
pr-agent.yml
Pin PR-Agent runtime and restrict comment trigger.github/workflows/pr-agent.yml
uses: the-pr-agent/pr-agent@mainwith a digest-pinned Dockerimage
docker://pragent/pr-agent@sha256:...author_associationcheck forissue_commenttrigger to restrictto OWNER/MEMBER/COLLABORATOR
permission requirements