Skip to content

security: harden autonomous Wizard GitHub workflows #131

Description

@C00ldudeNoonan

Summary

The Wizard workflows process untrusted issue and pull-request content while holding repository and pull-request write permissions. They also install the Wizard CLI using an unpinned curl | bash command and use mutable action tags.

The issue-triage workflow directly interpolates issue content into shell commands and passes that content to an autonomous workspace-write agent with GH_TOKEN.

Risks

  • Shell or GitHub-output injection through issue metadata.
  • Prompt injection that induces repository mutations outside the intended dbt scope.
  • Supply-chain compromise through an unpinned installer or mutable action tag.
  • Excessive token permissions on classification and review jobs.
  • Automated direct pushes without a protected approval boundary.

Scope

  • Pin every GitHub Action by commit SHA.
  • Install a specific Wizard CLI version from a verified checksum or signed artifact.
  • Pass issue and PR content through safely encoded files or environment variables, never direct expression interpolation in shell.
  • Treat issue and PR bodies as untrusted data in agent instructions.
  • Set minimum permissions per job and step.
  • Prevent autonomous direct pushes to protected branches; require PRs and environment approval for write operations.
  • Add failure handling for API and classifier errors.
  • Add security tests or static workflow checks for untrusted interpolation.

Acceptance criteria

  • No curl | bash installer remains.
  • No untrusted GitHub field is directly interpolated into a shell script.
  • Read-only jobs have read-only tokens.
  • Repository writes require an explicit approved job/environment.
  • Autonomous agents cannot push directly to main.
  • All third-party actions and tools are immutably pinned.
  • Workflow lint/security checks run in CI.

Related work

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions