Skip to content

chore: add stale PR cleanup workflow via centralized pr-manager#525

Open
Manask322 wants to merge 5 commits into
masterfrom
chore/add-pr-manager-workflow
Open

chore: add stale PR cleanup workflow via centralized pr-manager#525
Manask322 wants to merge 5 commits into
masterfrom
chore/add-pr-manager-workflow

Conversation

@Manask322

Copy link
Copy Markdown
Member

Adds centralized PR Manager workflow that delegates stale PR cleanup to razorpay/actions/.github/workflows/pr-manager.yaml.

jobs:
stale:
uses: razorpay/actions/.github/workflows/pr-manager.yaml@master
secrets: inherit

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

Workflow passes all repository secrets to external reusable workflow, violating least privilege and exposing all credentials if the reusable workflow is compromised.

More details about this

This workflow passes all repository secrets to the reusable workflow at razorpay/actions/.github/workflows/pr-manager.yaml@master using secrets: inherit.

Here's how an attacker could exploit this:

  1. Compromise or take over the reusable workflow: An attacker gains control of the pr-manager.yaml workflow in the razorpay/actions repository (e.g., by compromising the maintainer's credentials or finding a vulnerability in that repo).

  2. Extract all secrets: The compromised workflow now has access to every secret in your repository via the inherit directive—potentially including database credentials, API keys, deployment tokens, and authentication tokens.

  3. Exfiltrate credentials: The attacker's malicious code in the reusable workflow logs these secrets to build output, sends them to an attacker-controlled server, or commits them to a public repository.

  4. Use secrets for lateral attacks: With credentials like DEPLOY_TOKEN or DATABASE_PASSWORD, the attacker can access your production systems, databases, or downstream services.

Even if the workflow maintainers are trustworthy today, the principle of least privilege means the PR manager workflow should only receive the specific secrets it actually needs (likely none, or just a specific GitHub token), not your entire vault of credentials.

To resolve this comment:

✨ Commit fix suggestion

Suggested change
secrets: inherit
# PR Manager — stale PR cleanup via centralized reusable workflow in razorpay/actions.
# See: https://github.com/razorpay/actions/blob/master/.github/workflows/pr-manager.yaml
name: PR Manager
on:
schedule:
- cron: '30 20 * * *' # 2:00 AM IST (8:30 PM UTC)
workflow_dispatch: {}
jobs:
stale:
uses: razorpay/actions/.github/workflows/pr-manager.yaml@master
secrets:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
View step-by-step instructions
  1. Replace secrets: inherit with an explicit secrets: map under the stale job.
  2. Pass only the secret that this reusable workflow needs. For this PR manager workflow, map the GitHub token explicitly as GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}.
  3. Update the job to look like secrets: { GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} } or the multiline equivalent:
    secrets:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  4. Keep any other secrets out of this map unless the reusable workflow specifically requires them. This limits the called workflow to the minimum access it needs.
💬 Ignore this finding

Leave a nosemgrep comment directly above or at the end of line 13 like so // nosemgrep: yaml.github-actions.security.secrets-inherit.secrets-inherit

Take care to validate that this is not a true positive finding before ignoring it.
Learn more about ignoring code, files and folders here.

You can view more details about this finding in the Semgrep AppSec Platform.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant