chore: add stale PR cleanup workflow via centralized pr-manager#525
chore: add stale PR cleanup workflow via centralized pr-manager#525Manask322 wants to merge 5 commits into
Conversation
| jobs: | ||
| stale: | ||
| uses: razorpay/actions/.github/workflows/pr-manager.yaml@master | ||
| secrets: inherit |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Workflow passes all repository secrets to external reusable workflow, violating least privilege and exposing all credentials if the reusable workflow is compromised.
More details about this
This workflow passes all repository secrets to the reusable workflow at razorpay/actions/.github/workflows/pr-manager.yaml@master using secrets: inherit.
Here's how an attacker could exploit this:
-
Compromise or take over the reusable workflow: An attacker gains control of the
pr-manager.yamlworkflow in therazorpay/actionsrepository (e.g., by compromising the maintainer's credentials or finding a vulnerability in that repo). -
Extract all secrets: The compromised workflow now has access to every secret in your repository via the
inheritdirective—potentially including database credentials, API keys, deployment tokens, and authentication tokens. -
Exfiltrate credentials: The attacker's malicious code in the reusable workflow logs these secrets to build output, sends them to an attacker-controlled server, or commits them to a public repository.
-
Use secrets for lateral attacks: With credentials like
DEPLOY_TOKENorDATABASE_PASSWORD, the attacker can access your production systems, databases, or downstream services.
Even if the workflow maintainers are trustworthy today, the principle of least privilege means the PR manager workflow should only receive the specific secrets it actually needs (likely none, or just a specific GitHub token), not your entire vault of credentials.
To resolve this comment:
✨ Commit fix suggestion
| secrets: inherit | |
| # PR Manager — stale PR cleanup via centralized reusable workflow in razorpay/actions. | |
| # See: https://github.com/razorpay/actions/blob/master/.github/workflows/pr-manager.yaml | |
| name: PR Manager | |
| on: | |
| schedule: | |
| - cron: '30 20 * * *' # 2:00 AM IST (8:30 PM UTC) | |
| workflow_dispatch: {} | |
| jobs: | |
| stale: | |
| uses: razorpay/actions/.github/workflows/pr-manager.yaml@master | |
| secrets: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
View step-by-step instructions
- Replace
secrets: inheritwith an explicitsecrets:map under thestalejob. - Pass only the secret that this reusable workflow needs. For this PR manager workflow, map the GitHub token explicitly as
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}. - Update the job to look like
secrets: { GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} }or the multiline equivalent:
secrets:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - Keep any other secrets out of this map unless the reusable workflow specifically requires them. This limits the called workflow to the minimum access it needs.
💬 Ignore this finding
Leave a nosemgrep comment directly above or at the end of line 13 like so // nosemgrep: yaml.github-actions.security.secrets-inherit.secrets-inherit
Take care to validate that this is not a true positive finding before ignoring it.
Learn more about ignoring code, files and folders here.
You can view more details about this finding in the Semgrep AppSec Platform.
Adds centralized PR Manager workflow that delegates stale PR cleanup to
razorpay/actions/.github/workflows/pr-manager.yaml.