Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions .github/workflows/stale.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# PR Manager — stale PR cleanup via centralized reusable workflow in razorpay/actions.
# See: https://github.com/razorpay/actions/blob/master/.github/workflows/pr-manager.yaml
name: PR Manager

on:
schedule:
- cron: '30 20 * * *' # 2:00 AM IST (8:30 PM UTC)
workflow_dispatch: {}

jobs:
stale:
uses: razorpay/actions/.github/workflows/pr-manager.yaml@master
secrets: inherit

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

Workflow passes all repository secrets to external reusable workflow, violating least privilege and exposing all credentials if the reusable workflow is compromised.

More details about this

This workflow passes all repository secrets to the reusable workflow at razorpay/actions/.github/workflows/pr-manager.yaml@master using secrets: inherit.

Here's how an attacker could exploit this:

  1. Compromise or take over the reusable workflow: An attacker gains control of the pr-manager.yaml workflow in the razorpay/actions repository (e.g., by compromising the maintainer's credentials or finding a vulnerability in that repo).

  2. Extract all secrets: The compromised workflow now has access to every secret in your repository via the inherit directive—potentially including database credentials, API keys, deployment tokens, and authentication tokens.

  3. Exfiltrate credentials: The attacker's malicious code in the reusable workflow logs these secrets to build output, sends them to an attacker-controlled server, or commits them to a public repository.

  4. Use secrets for lateral attacks: With credentials like DEPLOY_TOKEN or DATABASE_PASSWORD, the attacker can access your production systems, databases, or downstream services.

Even if the workflow maintainers are trustworthy today, the principle of least privilege means the PR manager workflow should only receive the specific secrets it actually needs (likely none, or just a specific GitHub token), not your entire vault of credentials.

To resolve this comment:

✨ Commit fix suggestion

Suggested change
secrets: inherit
# PR Manager — stale PR cleanup via centralized reusable workflow in razorpay/actions.
# See: https://github.com/razorpay/actions/blob/master/.github/workflows/pr-manager.yaml
name: PR Manager
on:
schedule:
- cron: '30 20 * * *' # 2:00 AM IST (8:30 PM UTC)
workflow_dispatch: {}
jobs:
stale:
uses: razorpay/actions/.github/workflows/pr-manager.yaml@master
secrets:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
View step-by-step instructions
  1. Replace secrets: inherit with an explicit secrets: map under the stale job.
  2. Pass only the secret that this reusable workflow needs. For this PR manager workflow, map the GitHub token explicitly as GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}.
  3. Update the job to look like secrets: { GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} } or the multiline equivalent:
    secrets:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  4. Keep any other secrets out of this map unless the reusable workflow specifically requires them. This limits the called workflow to the minimum access it needs.
💬 Ignore this finding

Leave a nosemgrep comment directly above or at the end of line 13 like so // nosemgrep: yaml.github-actions.security.secrets-inherit.secrets-inherit

Take care to validate that this is not a true positive finding before ignoring it.
Learn more about ignoring code, files and folders here.

You can view more details about this finding in the Semgrep AppSec Platform.