Skip to content

ci: bot workflow TOCTOU and execution hardening [PM-22117] #848

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
m2ux merged 12 commits into from
Mar 13, 2026
Merged

ci: bot workflow TOCTOU and execution hardening [PM-22117] #848

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
c6e0b2f
chore: initialize bot workflow security hardening branch [PM-22117]
m2ux Mar 3, 2026
f18f6cc
fix(ci): harden rebuild-metadata-bot against TOCTOU and injection [PM…
m2ux Mar 3, 2026
9b28052
fix(ci): harden rebuild-chainspec-bot against TOCTOU and injection [P…
m2ux Mar 3, 2026
9903fc6
fix(ci): harden cargo-fmt-bot against TOCTOU and injection [PM-22117]
m2ux Mar 3, 2026
421efef
fix(ci): harden fix-metadata-conflicts-bot against TOCTOU and injecti…
m2ux Mar 3, 2026
4d64087
Merge branch 'main' of https://github.com/midnightntwrk/midnight-node…
m2ux Mar 3, 2026
fb5da33
chore: add change file for bot workflow security hardening [PM-22117]
m2ux Mar 4, 2026
1e986b7
Merge remote-tracking branch 'origin/main' into fix/PM-22117-bot-work…
m2ux Mar 4, 2026
034a35f
chore: rebuild chainspec for devnet
github-actions[bot] Mar 4, 2026
71a9676
Merge branch 'main' into fix/PM-22117-bot-workflow-security-hardening
m2ux Mar 4, 2026
32a89c1
Merge branch 'main' into fix/PM-22117-bot-workflow-security-hardening
m2ux Mar 4, 2026
35d55b5
fix: revert chainspec changes
gilescope Mar 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions .github/workflows/cargo-fmt-bot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,10 +55,12 @@ jobs:
- name: Get PR branch
id: pr
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
PR_NUMBER: ${{ github.event.inputs.pr_number }}
with:
script: |
const prNumber = context.eventName === 'workflow_dispatch'
? '${{ github.event.inputs.pr_number }}'
? process.env.PR_NUMBER
: context.issue.number;
const pr = await github.rest.pulls.get({
owner: context.repo.owner,
Expand All @@ -76,7 +78,7 @@ jobs:
- name: Checkout PR branch
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ steps.pr.outputs.ref }}
ref: ${{ steps.pr.outputs.sha }}
token: ${{ secrets.GITHUB_TOKEN }}
fetch-depth: 0

Expand Down
10 changes: 7 additions & 3 deletions .github/workflows/fix-metadata-conflicts-bot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,11 +50,13 @@ jobs:
- name: Parse command and validate
id: parse
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
STRATEGY: ${{ github.event.inputs.strategy }}
with:
script: |
let strategy;
if (context.eventName === 'workflow_dispatch') {
strategy = '${{ github.event.inputs.strategy }}';
strategy = process.env.STRATEGY;
} else {
const comment = context.payload.comment.body.trim();
const match = comment.match(/^\/bot\s+fix-metadata-conflicts\s+(accept-current|accept-incoming)\s*$/);
Expand Down Expand Up @@ -82,10 +84,12 @@ jobs:
- name: Get PR branch
id: pr
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
PR_NUMBER: ${{ github.event.inputs.pr_number }}
with:
script: |
const prNumber = context.eventName === 'workflow_dispatch'
? '${{ github.event.inputs.pr_number }}'
? process.env.PR_NUMBER
: context.issue.number;
const pr = await github.rest.pulls.get({
owner: context.repo.owner,
Expand All @@ -104,7 +108,7 @@ jobs:
- name: Checkout PR branch
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ steps.pr.outputs.ref }}
ref: ${{ steps.pr.outputs.sha }}
token: ${{ secrets.GITHUB_TOKEN }}
fetch-depth: 0

Expand Down
9 changes: 5 additions & 4 deletions .github/workflows/rebuild-chainspec-bot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,10 +94,12 @@ jobs:
- name: Get PR branch
id: pr
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
PR_NUMBER: ${{ github.event.inputs.pr_number }}
with:
script: |
const prNumber = context.eventName === 'workflow_dispatch'
? '${{ github.event.inputs.pr_number }}'
? process.env.PR_NUMBER
: context.issue.number;
const pr = await github.rest.pulls.get({
owner: context.repo.owner,
Expand All @@ -115,7 +117,7 @@ jobs:
- name: Checkout PR branch
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ steps.pr.outputs.ref }}
ref: ${{ steps.pr.outputs.sha }}
token: ${{ secrets.GITHUB_TOKEN }}
fetch-depth: 0

Expand All @@ -135,14 +137,13 @@ jobs:

- name: Run rebuild-chainspec
env:
EARTHLY_CONFIG: .earthly/config.yml
NETWORKS: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.networks || steps.parse_comment.outputs.networks }}
run: |
mkdir -p "$HOME"/.cargo
echo "[net]" >> "$HOME"/.cargo/config
echo "git-fetch-with-cli = true" >> "$HOME"/.cargo/config

. ./.envrc

# Split networks and run earthly for each
for network in $NETWORKS; do
echo "Rebuilding chainspec for network: $network"
Expand Down
10 changes: 7 additions & 3 deletions .github/workflows/rebuild-metadata-bot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,10 +55,12 @@ jobs:
- name: Get PR branch
id: pr
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
PR_NUMBER: ${{ github.event.inputs.pr_number }}
with:
script: |
const prNumber = context.eventName === 'workflow_dispatch'
? '${{ github.event.inputs.pr_number }}'
? process.env.PR_NUMBER
: context.issue.number;
const pr = await github.rest.pulls.get({
owner: context.repo.owner,
Expand All @@ -76,7 +78,7 @@ jobs:
- name: Checkout PR branch
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ steps.pr.outputs.ref }}
ref: ${{ steps.pr.outputs.sha }}
token: ${{ secrets.GITHUB_TOKEN }}
fetch-depth: 0

Expand All @@ -95,11 +97,13 @@ jobs:
password: ${{ secrets.MIDNIGHTCI_PACKAGES_READ }}

- name: Run rebuild-metadata
env:
EARTHLY_CONFIG: .earthly/config.yml
run: |
mkdir -p "$HOME"/.cargo
echo "[net]" >> "$HOME"/.cargo/config
echo "git-fetch-with-cli = true" >> "$HOME"/.cargo/config
. ./.envrc && earthly -P +rebuild-metadata
earthly -P +rebuild-metadata

- name: Commit and push changes
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
Expand Down
6 changes: 6 additions & 0 deletions changes/changed/bot-workflow-security-hardening.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
#ci #security
# Harden bot workflows against TOCTOU and expression injection
Fix compound TOCTOU vulnerability (M-F001) and expression injection findings (M-F002, M-F003, M-F004) in four comment-triggered bot workflows. Switch checkout from branch name to commit SHA, remove .envrc sourcing in favor of explicit EARTHLY_CONFIG, and migrate user-supplied inputs to env: block indirection.

PR: https://github.com/midnightntwrk/midnight-node/pull/848
Ticket: https://shielded.atlassian.net/browse/PM-22117
Loading