You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Head SHA:60512e2 Timestamp: 2026-05-08T11:45:00Z Outcome: comment-only
Summary
This PR adds a new dispatch-gh-classify job that fires on newly opened issues and dispatches to gh-classify.yml in the .fullsend config repo. The change is functionally sound and follows the established security pattern of passing GitHub context through environment variables to prevent script injection — with one exception where github.repository is interpolated directly in a run: block. No critical or high findings; two style/consistency observations and one intent-alignment note.
Findings
Medium
[Platform security].github/workflows/fullsend.yaml (new job, payload step run: block) — ${{ github.repository }} is interpolated directly in the run: block (--arg repo "${{ github.repository }}"), breaking the env-var-only pattern documented in the file header and used by every other job. While github.repository is GitHub-controlled and not attacker-exploitable, maintaining the pattern is important: it keeps the security posture legible for future maintainers and avoids normalizing direct ${{ }} interpolation in run: blocks where attacker-controlled fields could be introduced by copy-paste.
Remediation: Add REPO: ${{ github.repository }} to the step's env: block and reference it as "${REPO}" in the jq command, consistent with the SOURCE_REPO pattern in the dispatch step.
Low
[Style/conventions].github/workflows/fullsend.yaml (new job, dispatch step) — The dispatch step uses --field while all other dispatch jobs in this file use the -f shorthand. Functionally equivalent, but inconsistent.
Remediation: Replace --field with -f to match the existing convention.
Info
[Intent alignment] The PR description frames this as "bringing the shim back in sync with the template," but the change adds new functionality: a new event trigger (opened on issues) and a new dispatch job (dispatch-gh-classify). This is a feature addition. Not a problem per se, but worth noting for accurate changelog/release-note purposes.
Footer
Outcome: comment-only
This review applies to SHA 60512e2c5947fa3754df6eb0f849e124c5bc1fb9. Any push to the PR head clears this review and requires a new evaluation.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR updates the fullsend shim workflow to match the current template in the
.fullsendconfig repo.The shim content has drifted from the template — this brings it back in sync.