Summary
The Wizard workflows process untrusted issue and pull-request content while holding repository and pull-request write permissions. They also install the Wizard CLI using an unpinned curl | bash command and use mutable action tags.
The issue-triage workflow directly interpolates issue content into shell commands and passes that content to an autonomous workspace-write agent with GH_TOKEN.
Risks
- Shell or GitHub-output injection through issue metadata.
- Prompt injection that induces repository mutations outside the intended dbt scope.
- Supply-chain compromise through an unpinned installer or mutable action tag.
- Excessive token permissions on classification and review jobs.
- Automated direct pushes without a protected approval boundary.
Scope
- Pin every GitHub Action by commit SHA.
- Install a specific Wizard CLI version from a verified checksum or signed artifact.
- Pass issue and PR content through safely encoded files or environment variables, never direct expression interpolation in shell.
- Treat issue and PR bodies as untrusted data in agent instructions.
- Set minimum permissions per job and step.
- Prevent autonomous direct pushes to protected branches; require PRs and environment approval for write operations.
- Add failure handling for API and classifier errors.
- Add security tests or static workflow checks for untrusted interpolation.
Acceptance criteria
Related work
Summary
The Wizard workflows process untrusted issue and pull-request content while holding repository and pull-request write permissions. They also install the Wizard CLI using an unpinned
curl | bashcommand and use mutable action tags.The issue-triage workflow directly interpolates issue content into shell commands and passes that content to an autonomous workspace-write agent with
GH_TOKEN.Risks
Scope
Acceptance criteria
curl | bashinstaller remains.main.Related work