Skip to content

Commit d767c47

Browse files
praveenkatha-nrclaude
praveenkatha-nr
and
claude
committed
fix(security): address artifact poisoning and missing permissions alerts
- Download artifacts to temp directory to prevent file override attacks - Validate PR number is numeric before using it - Add explicit permissions to all workflows following least-privilege Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
1 parent ed1f603 commit d767c47

File tree

8 files changed

+78
-10
lines changed

8 files changed

+78
-10
lines changed

.github/workflows/pr-checks.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,9 @@ name: PR Validation
33
on:
44
pull_request:
55

6+
permissions:
7+
contents: read
8+
69
jobs:
710
validate:
811
name: Validate Artifact

.github/workflows/pr-merged.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,9 @@
11
name: Update quickstarts
22

3+
permissions:
4+
contents: write
5+
pull-requests: read
6+
37
env:
48
THIRD_PARTY_GIT_AUTHOR_EMAIL: opensource+bot@newrelic.com
59
THIRD_PARTY_GIT_AUTHOR_NAME: nr-opensource-bot

.github/workflows/repolinter.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,10 @@ name: Repolinter Action
88
# filtered in the "Test Default Branch" step.
99
on: [push, workflow_dispatch]
1010

11+
permissions:
12+
contents: read
13+
issues: write
14+
1115
jobs:
1216
repolint:
1317
name: Run Repolinter

.github/workflows/run_tests.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,9 @@ on:
88
paths:
99
- "utils/**"
1010

11+
permissions:
12+
contents: read
13+
1114
jobs:
1215
run-unit-tests:
1316
name: Unit tests

.github/workflows/submit-gate.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,9 @@ on:
1010
- release
1111
types: [closed]
1212

13+
permissions:
14+
contents: read
15+
1316
jobs:
1417
upload-artifact:
1518
runs-on: ubuntu-latest

.github/workflows/validate_packs.yml

Lines changed: 55 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,11 @@ on:
66
types:
77
- completed
88

9+
permissions:
10+
contents: read
11+
statuses: write
12+
pull-requests: write
13+
914
env:
1015
COMMIT_SHA: ${{ github.event.workflow_run.head_commit.id }}
1116

@@ -14,16 +19,24 @@ jobs:
1419
name: Ensure quickstart ids are unique
1520
runs-on: ubuntu-latest
1621
steps:
22+
- name: Create temp directory
23+
run: mkdir -p ${{ runner.temp }}/artifacts/
24+
1725
- name: Download artifact
1826
uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e
1927
with:
2028
workflow: validation_gate.yml
2129
run_id: ${{ github.event.workflow_run.id }}
30+
path: ${{ runner.temp }}/artifacts/
2231

23-
- name: Get PR number
32+
- name: Get and validate PR number
2433
id: get_pr_number
2534
run: |
26-
export PR_NUMBER=$(cat artifact/pr_number.txt)
35+
PR_NUMBER=$(cat ${{ runner.temp }}/artifacts/artifact/pr_number.txt)
36+
if ! [[ "$PR_NUMBER" =~ ^[0-9]+$ ]]; then
37+
echo "Error: Invalid PR number"
38+
exit 1
39+
fi
2740
echo "pr-number=$PR_NUMBER" >> $GITHUB_ENV
2841
2942
- name: Checkout repository
@@ -48,16 +61,24 @@ jobs:
4861
name: Ensure images are valid
4962
runs-on: ubuntu-latest
5063
steps:
64+
- name: Create temp directory
65+
run: mkdir -p ${{ runner.temp }}/artifacts/
66+
5167
- name: Download artifact
5268
uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e
5369
with:
5470
workflow: validation_gate.yml
5571
run_id: ${{ github.event.workflow_run.id }}
72+
path: ${{ runner.temp }}/artifacts/
5673

57-
- name: Get PR number
74+
- name: Get and validate PR number
5875
id: get_pr_number
5976
run: |
60-
export PR_NUMBER=$(cat artifact/pr_number.txt)
77+
PR_NUMBER=$(cat ${{ runner.temp }}/artifacts/artifact/pr_number.txt)
78+
if ! [[ "$PR_NUMBER" =~ ^[0-9]+$ ]]; then
79+
echo "Error: Invalid PR number"
80+
exit 1
81+
fi
6182
echo "pr-number=$PR_NUMBER" >> $GITHUB_ENV
6283
6384
- name: Checkout repository
@@ -82,16 +103,24 @@ jobs:
82103
name: Ensure icons exist
83104
runs-on: ubuntu-latest
84105
steps:
106+
- name: Create temp directory
107+
run: mkdir -p ${{ runner.temp }}/artifacts/
108+
85109
- name: Download artifact
86110
uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e
87111
with:
88112
workflow: validation_gate.yml
89113
run_id: ${{ github.event.workflow_run.id }}
114+
path: ${{ runner.temp }}/artifacts/
90115

91-
- name: Get PR number
116+
- name: Get and validate PR number
92117
id: get_pr_number
93118
run: |
94-
export PR_NUMBER=$(cat artifact/pr_number.txt)
119+
PR_NUMBER=$(cat ${{ runner.temp }}/artifacts/artifact/pr_number.txt)
120+
if ! [[ "$PR_NUMBER" =~ ^[0-9]+$ ]]; then
121+
echo "Error: Invalid PR number"
122+
exit 1
123+
fi
95124
echo "pr-number=$PR_NUMBER" >> $GITHUB_ENV
96125
97126
- name: Checkout repository
@@ -116,16 +145,24 @@ jobs:
116145
name: Ensure quickstart dashboard names are unique
117146
runs-on: ubuntu-latest
118147
steps:
148+
- name: Create temp directory
149+
run: mkdir -p ${{ runner.temp }}/artifacts/
150+
119151
- name: Download artifact
120152
uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e
121153
with:
122154
workflow: validation_gate.yml
123155
run_id: ${{ github.event.workflow_run.id }}
156+
path: ${{ runner.temp }}/artifacts/
124157

125-
- name: Get PR number
158+
- name: Get and validate PR number
126159
id: get_pr_number
127160
run: |
128-
export PR_NUMBER=$(cat artifact/pr_number.txt)
161+
PR_NUMBER=$(cat ${{ runner.temp }}/artifacts/artifact/pr_number.txt)
162+
if ! [[ "$PR_NUMBER" =~ ^[0-9]+$ ]]; then
163+
echo "Error: Invalid PR number"
164+
exit 1
165+
fi
129166
echo "pr-number=$PR_NUMBER" >> $GITHUB_ENV
130167
131168
- name: Checkout repository
@@ -149,16 +186,24 @@ jobs:
149186
dashboard-helper:
150187
runs-on: ubuntu-latest
151188
steps:
189+
- name: Create temp directory
190+
run: mkdir -p ${{ runner.temp }}/artifacts/
191+
152192
- name: Download artifact
153193
uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e
154194
with:
155195
workflow: validation_gate.yml
156196
run_id: ${{ github.event.workflow_run.id }}
197+
path: ${{ runner.temp }}/artifacts/
157198

158-
- name: Get PR number
199+
- name: Get and validate PR number
159200
id: get_pr_number
160201
run: |
161-
export PR_NUMBER=$(cat artifact/pr_number.txt)
202+
PR_NUMBER=$(cat ${{ runner.temp }}/artifacts/artifact/pr_number.txt)
203+
if ! [[ "$PR_NUMBER" =~ ^[0-9]+$ ]]; then
204+
echo "Error: Invalid PR number"
205+
exit 1
206+
fi
162207
echo "pr-number=$PR_NUMBER" >> $GITHUB_ENV
163208
164209
- name: Checkout repository

.github/workflows/validation_gate.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,9 @@ name: Validation Gate
77
on:
88
pull_request:
99

10+
permissions:
11+
contents: read
12+
1013
jobs:
1114
upload-artifact:
1215
runs-on: ubuntu-latest

.github/workflows/yaml-lint.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,9 @@ on:
66
- "**.yml"
77
- "**.yaml"
88

9+
permissions:
10+
contents: read
11+
912
jobs:
1013
lint-yaml-files:
1114
name: Lint YAML Files

0 commit comments

Comments
 (0)