Skip to content

fix(ci): restrict manual publish workflow execution to version branches#339

Merged
twisti-dev merged 3 commits into
version/26.2from
codex/fix-arbitrary-code-execution-in-publish-workflow
Jun 29, 2026
Merged

fix(ci): restrict manual publish workflow execution to version branches#339
twisti-dev merged 3 commits into
version/26.2from
codex/fix-arbitrary-code-execution-in-publish-workflow

Conversation

@twisti-dev

@twisti-dev twisti-dev commented May 7, 2026

Copy link
Copy Markdown
Contributor

Motivation

  • Prevent exposure of publishing credentials and execution of repository-controlled build/publish code via workflow_dispatch by ensuring manual runs only execute against release branches.

Description

  • Add a job-level guard in .github/workflows/publish.yml: if: github.event_name != 'workflow_dispatch' || startsWith(github.ref, 'refs/heads/version/') so manually-dispatched runs only proceed when the selected ref is a version/* branch while preserving existing push-trigger behavior.

Testing

  • Programmatically inspected the updated .github/workflows/publish.yml and confirmed the diff contains only the single if: guard addition and the workflow still triggers on push to version/* branches.

Codex Task

@twisti-dev twisti-dev force-pushed the codex/fix-arbitrary-code-execution-in-publish-workflow branch 2 times, most recently from 0cf4a0a to 2766971 Compare May 17, 2026 22:17
@twisti-dev twisti-dev force-pushed the codex/fix-arbitrary-code-execution-in-publish-workflow branch 2 times, most recently from e7212e1 to c45fe0c Compare May 27, 2026 12:30
@twisti-dev twisti-dev force-pushed the codex/fix-arbitrary-code-execution-in-publish-workflow branch from c45fe0c to bc5cb5f Compare May 27, 2026 19:24
@github-actions

github-actions Bot commented May 27, 2026

Copy link
Copy Markdown
Contributor

⚠️ API/ABI changes detected!

This PR contains changes that modified the public API. To update the reference ABI dumps:

./gradlew updateKotlinAbi
git add **/api/**
git commit -m "Update ABI reference"
git push

After updating, the CI will pass. Make sure the changes are backward compatible.

@mergify mergify Bot added the conflict label May 27, 2026
@mergify

mergify Bot commented May 27, 2026

Copy link
Copy Markdown
Contributor

👋 twisti-dev your PR is conflicting and needs to be updated to be merged

@twisti-dev twisti-dev changed the base branch from version/26.1 to version/26.2 June 29, 2026 13:03
@twisti-dev twisti-dev marked this pull request as ready for review June 29, 2026 13:04
@twisti-dev twisti-dev merged commit 0141139 into version/26.2 Jun 29, 2026
7 checks passed
@twisti-dev twisti-dev deleted the codex/fix-arbitrary-code-execution-in-publish-workflow branch June 29, 2026 13:04
@mergify mergify Bot removed the conflict label Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

aardvark codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@twisti-dev