From 63a962f065ade652af6f793d6f90ecab8bf447fd Mon Sep 17 00:00:00 2001 From: enyst Date: Sun, 24 May 2026 00:12:54 +0000 Subject: [PATCH 1/4] Harden workflow GitHub context handling Pass attacker-controllable GitHub context and workflow values through environment variables before shell use. Co-authored-by: openhands --- .github/workflows/vulnerability-scan.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index 188db7fe..3afec565 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -78,10 +78,13 @@ jobs: github-token: ${{ secrets.OPENHANDS_BOT_GITHUB_PAT_PUBLIC || secrets.GITHUB_TOKEN }} - name: Summary + env: + SCAN_ONLY: ${{ steps.remediate.outputs.scan-only }} + VULNERABILITIES_FOUND: ${{ steps.remediate.outputs.vulnerabilities-found }} run: | echo "### Vulnerability Scan Results" >> $GITHUB_STEP_SUMMARY - if [ "${{ steps.remediate.outputs.scan-only }}" == "true" ]; then + if [ "$SCAN_ONLY" == "true" ]; then echo "✅ No vulnerabilities found that need remediation." >> $GITHUB_STEP_SUMMARY else - echo "🔍 Found ${{ steps.remediate.outputs.vulnerabilities-found }} vulnerabilities to remediate." >> $GITHUB_STEP_SUMMARY + echo "🔍 Found $VULNERABILITIES_FOUND vulnerabilities to remediate." >> $GITHUB_STEP_SUMMARY fi From 8fbe34188e4868a50b8c9a9809a87f719203ad9f Mon Sep 17 00:00:00 2001 From: enyst Date: Sun, 24 May 2026 00:17:07 +0000 Subject: [PATCH 2/4] Sync vulnerability scan workflow copy Co-authored-by: openhands --- .../workflows/vulnerability-scan.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/plugins/vulnerability-remediation/workflows/vulnerability-scan.yml b/plugins/vulnerability-remediation/workflows/vulnerability-scan.yml index 188db7fe..3afec565 100644 --- a/plugins/vulnerability-remediation/workflows/vulnerability-scan.yml +++ b/plugins/vulnerability-remediation/workflows/vulnerability-scan.yml @@ -78,10 +78,13 @@ jobs: github-token: ${{ secrets.OPENHANDS_BOT_GITHUB_PAT_PUBLIC || secrets.GITHUB_TOKEN }} - name: Summary + env: + SCAN_ONLY: ${{ steps.remediate.outputs.scan-only }} + VULNERABILITIES_FOUND: ${{ steps.remediate.outputs.vulnerabilities-found }} run: | echo "### Vulnerability Scan Results" >> $GITHUB_STEP_SUMMARY - if [ "${{ steps.remediate.outputs.scan-only }}" == "true" ]; then + if [ "$SCAN_ONLY" == "true" ]; then echo "✅ No vulnerabilities found that need remediation." >> $GITHUB_STEP_SUMMARY else - echo "🔍 Found ${{ steps.remediate.outputs.vulnerabilities-found }} vulnerabilities to remediate." >> $GITHUB_STEP_SUMMARY + echo "🔍 Found $VULNERABILITIES_FOUND vulnerabilities to remediate." >> $GITHUB_STEP_SUMMARY fi From 912aab38b4771f2d159bc5adc932c030a736504a Mon Sep 17 00:00:00 2001 From: enyst Date: Sun, 24 May 2026 00:24:14 +0000 Subject: [PATCH 3/4] Harden plugin workflow shell inputs Co-authored-by: openhands --- plugins/qa-changes/action.yml | 9 ++++--- plugins/release-notes/action.yml | 5 ++-- .../release-notes/workflows/release-notes.yml | 26 +++++++++++++------ plugins/vulnerability-remediation/action.yml | 12 ++++++--- 4 files changed, 35 insertions(+), 17 deletions(-) diff --git a/plugins/qa-changes/action.yml b/plugins/qa-changes/action.yml index ae1540a3..cc8b75cf 100644 --- a/plugins/qa-changes/action.yml +++ b/plugins/qa-changes/action.yml @@ -119,6 +119,9 @@ runs: env: LLM_API_KEY: ${{ inputs.llm-api-key }} GITHUB_TOKEN: ${{ inputs.github-token }} + GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} + GITHUB_EVENT_PULL_REQUEST_TITLE: ${{ github.event.pull_request.title }} + INPUTS_LLM_MODEL: ${{ inputs.llm-model }} run: | if [ -z "$LLM_API_KEY" ]; then echo "Error: llm-api-key is required." @@ -129,10 +132,10 @@ runs: exit 1 fi - echo "PR Number: ${{ github.event.pull_request.number }}" - echo "PR Title: ${{ github.event.pull_request.title }}" + echo "PR Number: $GITHUB_EVENT_PULL_REQUEST_NUMBER" + echo "PR Title: $GITHUB_EVENT_PULL_REQUEST_TITLE" echo "Repository: ${{ github.repository }}" - echo "LLM model: ${{ inputs.llm-model }}" + echo "LLM model: $INPUTS_LLM_MODEL" - name: Run QA validation if: steps.preflight.outputs.skip != 'true' diff --git a/plugins/release-notes/action.yml b/plugins/release-notes/action.yml index 8fcd829b..a2b26113 100644 --- a/plugins/release-notes/action.yml +++ b/plugins/release-notes/action.yml @@ -109,9 +109,10 @@ runs: shell: bash env: GITHUB_TOKEN: ${{ inputs.github-token }} + INPUTS_TAG: ${{ inputs.tag }} run: | if [ -f release_notes.md ]; then - echo "Updating release notes for tag ${{ inputs.tag }}" - gh release edit "${{ inputs.tag }}" --notes-file release_notes.md || \ + echo "Updating release notes for tag $INPUTS_TAG" + gh release edit "$INPUTS_TAG" --notes-file release_notes.md || \ echo "Note: Could not update release. Release may not exist yet." fi diff --git a/plugins/release-notes/workflows/release-notes.yml b/plugins/release-notes/workflows/release-notes.yml index 93b2cbd4..4bce6df2 100644 --- a/plugins/release-notes/workflows/release-notes.yml +++ b/plugins/release-notes/workflows/release-notes.yml @@ -38,11 +38,15 @@ jobs: - name: Determine tag id: get-tag + env: + GITHUB_EVENT_NAME: ${{ github.event_name }} + GITHUB_EVENT_INPUTS_TAG: ${{ github.event.inputs.tag }} + GITHUB_REF_NAME: ${{ github.ref_name }} run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - echo "tag=${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT + if [ "$GITHUB_EVENT_NAME" = "workflow_dispatch" ]; then + echo "tag=$GITHUB_EVENT_INPUTS_TAG" >> $GITHUB_OUTPUT else - echo "tag=${{ github.ref_name }}" >> $GITHUB_OUTPUT + echo "tag=$GITHUB_REF_NAME" >> $GITHUB_OUTPUT fi - name: Generate Release Notes @@ -57,13 +61,19 @@ jobs: github-token: ${{ secrets.GITHUB_TOKEN }} - name: Display generated notes + env: + STEPS_GET_TAG_OUTPUTS_TAG: ${{ steps.get-tag.outputs.tag }} + STEPS_RELEASE_NOTES_OUTPUTS_PREVIOUS_TAG: ${{ steps.release-notes.outputs.previous-tag }} + STEPS_RELEASE_NOTES_OUTPUTS_COMMIT_COUNT: ${{ steps.release-notes.outputs.commit-count }} + STEPS_RELEASE_NOTES_OUTPUTS_CONTRIBUTOR_COUNT: ${{ steps.release-notes.outputs.contributor-count }} + STEPS_RELEASE_NOTES_OUTPUTS_NEW_CONTRIBUTOR_COUNT: ${{ steps.release-notes.outputs.new-contributor-count }} run: | - echo "## Release Notes for ${{ steps.get-tag.outputs.tag }}" + echo "## Release Notes for $STEPS_GET_TAG_OUTPUTS_TAG" echo "" - echo "Previous tag: ${{ steps.release-notes.outputs.previous-tag }}" - echo "Commits: ${{ steps.release-notes.outputs.commit-count }}" - echo "Contributors: ${{ steps.release-notes.outputs.contributor-count }}" - echo "New contributors: ${{ steps.release-notes.outputs.new-contributor-count }}" + echo "Previous tag: $STEPS_RELEASE_NOTES_OUTPUTS_PREVIOUS_TAG" + echo "Commits: $STEPS_RELEASE_NOTES_OUTPUTS_COMMIT_COUNT" + echo "Contributors: $STEPS_RELEASE_NOTES_OUTPUTS_CONTRIBUTOR_COUNT" + echo "New contributors: $STEPS_RELEASE_NOTES_OUTPUTS_NEW_CONTRIBUTOR_COUNT" echo "" echo "---" cat release_notes.md diff --git a/plugins/vulnerability-remediation/action.yml b/plugins/vulnerability-remediation/action.yml index 7e9fc9b1..cbca6a0e 100644 --- a/plugins/vulnerability-remediation/action.yml +++ b/plugins/vulnerability-remediation/action.yml @@ -96,6 +96,10 @@ runs: env: LLM_API_KEY: ${{ inputs.llm-api-key }} GITHUB_TOKEN: ${{ inputs.github-token }} + INPUTS_EXTENSIONS_VERSION: ${{ inputs.extensions-version }} + INPUTS_LLM_MODEL: ${{ inputs.llm-model }} + INPUTS_SEVERITY_THRESHOLD: ${{ inputs.severity-threshold }} + INPUTS_MAX_VULNERABILITIES: ${{ inputs.max-vulnerabilities }} run: | if [ -z "$LLM_API_KEY" ]; then echo "Error: llm-api-key is required." @@ -108,10 +112,10 @@ runs: fi echo "Repository: ${{ github.repository }}" - echo "Extensions Version: ${{ inputs.extensions-version }}" - echo "LLM Model: ${{ inputs.llm-model }}" - echo "Severity Threshold: ${{ inputs.severity-threshold }}" - echo "Max Vulnerabilities: ${{ inputs.max-vulnerabilities }}" + echo "Extensions Version: $INPUTS_EXTENSIONS_VERSION" + echo "LLM Model: $INPUTS_LLM_MODEL" + echo "Severity Threshold: $INPUTS_SEVERITY_THRESHOLD" + echo "Max Vulnerabilities: $INPUTS_MAX_VULNERABILITIES" - name: Run vulnerability scan id: scan From 1ca5ee5fd50a19b1249d02bdda8ff6e16974a6a8 Mon Sep 17 00:00:00 2001 From: openhands Date: Sun, 24 May 2026 06:45:10 +0000 Subject: [PATCH 4/4] Simplify workflow hardening scope Co-authored-by: openhands --- .github/workflows/vulnerability-scan.yml | 7 ++----- plugins/qa-changes/action.yml | 3 +-- .../release-notes/workflows/release-notes.yml | 18 +++++++----------- .../workflows/vulnerability-scan.yml | 7 ++----- 4 files changed, 12 insertions(+), 23 deletions(-) diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index 3afec565..188db7fe 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -78,13 +78,10 @@ jobs: github-token: ${{ secrets.OPENHANDS_BOT_GITHUB_PAT_PUBLIC || secrets.GITHUB_TOKEN }} - name: Summary - env: - SCAN_ONLY: ${{ steps.remediate.outputs.scan-only }} - VULNERABILITIES_FOUND: ${{ steps.remediate.outputs.vulnerabilities-found }} run: | echo "### Vulnerability Scan Results" >> $GITHUB_STEP_SUMMARY - if [ "$SCAN_ONLY" == "true" ]; then + if [ "${{ steps.remediate.outputs.scan-only }}" == "true" ]; then echo "✅ No vulnerabilities found that need remediation." >> $GITHUB_STEP_SUMMARY else - echo "🔍 Found $VULNERABILITIES_FOUND vulnerabilities to remediate." >> $GITHUB_STEP_SUMMARY + echo "🔍 Found ${{ steps.remediate.outputs.vulnerabilities-found }} vulnerabilities to remediate." >> $GITHUB_STEP_SUMMARY fi diff --git a/plugins/qa-changes/action.yml b/plugins/qa-changes/action.yml index cc8b75cf..20e499c8 100644 --- a/plugins/qa-changes/action.yml +++ b/plugins/qa-changes/action.yml @@ -119,7 +119,6 @@ runs: env: LLM_API_KEY: ${{ inputs.llm-api-key }} GITHUB_TOKEN: ${{ inputs.github-token }} - GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} GITHUB_EVENT_PULL_REQUEST_TITLE: ${{ github.event.pull_request.title }} INPUTS_LLM_MODEL: ${{ inputs.llm-model }} run: | @@ -132,7 +131,7 @@ runs: exit 1 fi - echo "PR Number: $GITHUB_EVENT_PULL_REQUEST_NUMBER" + echo "PR Number: ${{ github.event.pull_request.number }}" echo "PR Title: $GITHUB_EVENT_PULL_REQUEST_TITLE" echo "Repository: ${{ github.repository }}" echo "LLM model: $INPUTS_LLM_MODEL" diff --git a/plugins/release-notes/workflows/release-notes.yml b/plugins/release-notes/workflows/release-notes.yml index 4bce6df2..2dddaba8 100644 --- a/plugins/release-notes/workflows/release-notes.yml +++ b/plugins/release-notes/workflows/release-notes.yml @@ -39,7 +39,6 @@ jobs: - name: Determine tag id: get-tag env: - GITHUB_EVENT_NAME: ${{ github.event_name }} GITHUB_EVENT_INPUTS_TAG: ${{ github.event.inputs.tag }} GITHUB_REF_NAME: ${{ github.ref_name }} run: | @@ -62,18 +61,15 @@ jobs: - name: Display generated notes env: - STEPS_GET_TAG_OUTPUTS_TAG: ${{ steps.get-tag.outputs.tag }} - STEPS_RELEASE_NOTES_OUTPUTS_PREVIOUS_TAG: ${{ steps.release-notes.outputs.previous-tag }} - STEPS_RELEASE_NOTES_OUTPUTS_COMMIT_COUNT: ${{ steps.release-notes.outputs.commit-count }} - STEPS_RELEASE_NOTES_OUTPUTS_CONTRIBUTOR_COUNT: ${{ steps.release-notes.outputs.contributor-count }} - STEPS_RELEASE_NOTES_OUTPUTS_NEW_CONTRIBUTOR_COUNT: ${{ steps.release-notes.outputs.new-contributor-count }} + TAG: ${{ steps.get-tag.outputs.tag }} + PREVIOUS_TAG: ${{ steps.release-notes.outputs.previous-tag }} run: | - echo "## Release Notes for $STEPS_GET_TAG_OUTPUTS_TAG" + echo "## Release Notes for $TAG" echo "" - echo "Previous tag: $STEPS_RELEASE_NOTES_OUTPUTS_PREVIOUS_TAG" - echo "Commits: $STEPS_RELEASE_NOTES_OUTPUTS_COMMIT_COUNT" - echo "Contributors: $STEPS_RELEASE_NOTES_OUTPUTS_CONTRIBUTOR_COUNT" - echo "New contributors: $STEPS_RELEASE_NOTES_OUTPUTS_NEW_CONTRIBUTOR_COUNT" + echo "Previous tag: $PREVIOUS_TAG" + echo "Commits: ${{ steps.release-notes.outputs.commit-count }}" + echo "Contributors: ${{ steps.release-notes.outputs.contributor-count }}" + echo "New contributors: ${{ steps.release-notes.outputs.new-contributor-count }}" echo "" echo "---" cat release_notes.md diff --git a/plugins/vulnerability-remediation/workflows/vulnerability-scan.yml b/plugins/vulnerability-remediation/workflows/vulnerability-scan.yml index 3afec565..188db7fe 100644 --- a/plugins/vulnerability-remediation/workflows/vulnerability-scan.yml +++ b/plugins/vulnerability-remediation/workflows/vulnerability-scan.yml @@ -78,13 +78,10 @@ jobs: github-token: ${{ secrets.OPENHANDS_BOT_GITHUB_PAT_PUBLIC || secrets.GITHUB_TOKEN }} - name: Summary - env: - SCAN_ONLY: ${{ steps.remediate.outputs.scan-only }} - VULNERABILITIES_FOUND: ${{ steps.remediate.outputs.vulnerabilities-found }} run: | echo "### Vulnerability Scan Results" >> $GITHUB_STEP_SUMMARY - if [ "$SCAN_ONLY" == "true" ]; then + if [ "${{ steps.remediate.outputs.scan-only }}" == "true" ]; then echo "✅ No vulnerabilities found that need remediation." >> $GITHUB_STEP_SUMMARY else - echo "🔍 Found $VULNERABILITIES_FOUND vulnerabilities to remediate." >> $GITHUB_STEP_SUMMARY + echo "🔍 Found ${{ steps.remediate.outputs.vulnerabilities-found }} vulnerabilities to remediate." >> $GITHUB_STEP_SUMMARY fi