Skip to content

fixing CI security issue #380

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
okjintao merged 1 commit into from
Mar 25, 2026
Merged

fixing CI security issue #380

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion .github/workflows/validate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ name: Validate
on:
pull_request_target:

permissions:
contents: read

jobs:
schema:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -49,10 +52,12 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v4
with:
repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.event.pull_request.head.ref }}
path: ./head
Comment on lines 56 to +60
Copy link

Copilot AI Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When checking out the PR head in a pull_request_target workflow, use the immutable github.event.pull_request.head.sha instead of head.ref to avoid TOCTOU issues (the branch can move between trigger and checkout). Also set persist-credentials: false on this checkout so the GITHUB_TOKEN isn’t written into ./head/.git/config, which reduces the risk of later steps inadvertently leaking it.

Copilot uses AI. Check for mistakes.

- name: Setup Node.js
uses: actions/setup-node@v4
Expand Down Expand Up @@ -81,7 +86,7 @@ jobs:
run: pnpm install

- name: Lint Check
run: pnpx @biomejs/biome@2.0.0 ci
run: pnpx @biomejs/biome@2.0.0 ci ./head
Copy link

Copilot AI Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

biome ci ./head will still auto-discover config starting from the current working directory, so it will use the base repo’s biome.json even if the PR modifies ./head/biome.json. If you want config changes in the PR to be validated as part of this check (without changing CWD), pass Biome a config path (e.g., --config-path ./head or --config-path ./head/biome.json).

Suggested change
run: pnpx @biomejs/biome@2.0.0 ci ./head
run: pnpx @biomejs/biome@2.0.0 ci ./head --config-path ./head

Copilot uses AI. Check for mistakes.

data-consistency:
needs: schema
Expand Down
Loading