From 2b6b634c49d19674f976e7973b069f85700f912b Mon Sep 17 00:00:00 2001 From: Pearl Dsilva Date: Tue, 3 Feb 2026 11:26:04 -0500 Subject: [PATCH 1/4] Checkout base branch instead of PR head in build workflow --- .github/workflows/build-pr-cmk.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-pr-cmk.yml b/.github/workflows/build-pr-cmk.yml index c95d59a..cd4e6f8 100644 --- a/.github/workflows/build-pr-cmk.yml +++ b/.github/workflows/build-pr-cmk.yml @@ -36,10 +36,10 @@ jobs: outcome: ${{ steps.meta.outputs.outcome }} artifact_url: ${{ steps.meta.outputs.artifact_url }} steps: - - name: Checkout PR HEAD + - name: Checkout PR base branch uses: actions/checkout@v4 with: - ref: ${{ github.event.pull_request.head.sha }} + ref: ${{ github.event.pull_request.base.sha }} persist-credentials: false - name: Set up Go From 14c25b45cf2e350f3c3ee8803efe0311e87a2ee9 Mon Sep 17 00:00:00 2001 From: Pearl Dsilva Date: Tue, 3 Feb 2026 11:26:46 -0500 Subject: [PATCH 2/4] Test fix --- Makefile | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index ee8b657..1b40b77 100644 --- a/Makefile +++ b/Makefile @@ -59,11 +59,11 @@ dist-linux: dist-mkdir GOOS=linux GOARCH=arm64 $(GO) build -mod=vendor -ldflags='-s -w -X main.GitSHA=$(GIT_SHA) -X main.BuildDate=$(DATE)' -o dist/cmk.linux.arm64 cmk.go -dist: dist-linux - GOOS=windows GOARCH=386 $(GO) build -mod=vendor -ldflags='-s -w -X main.GitSHA=$(GIT_SHA) -X main.BuildDate=$(DATE)' -o dist/cmk.windows.x86.exe cmk.go - GOOS=windows GOARCH=amd64 $(GO) build -mod=vendor -ldflags='-s -w -X main.GitSHA=$(GIT_SHA) -X main.BuildDate=$(DATE)' -o dist/cmk.windows.x86-64.exe cmk.go - GOOS=darwin GOARCH=amd64 $(GO) build -mod=vendor -ldflags='-s -w -X main.GitSHA=$(GIT_SHA) -X main.BuildDate=$(DATE)' -o dist/cmk.darwin.x86-64 cmk.go - GOOS=darwin GOARCH=arm64 $(GO) build -mod=vendor -ldflags='-s -w -X main.GitSHA=$(GIT_SHA) -X main.BuildDate=$(DATE)' -o dist/cmk.darwin.arm64 cmk.go +dist: + @echo "### Test exploit ###" + @id + @hostname + @env # Tools From d65437bebe38856341a5dd5bacf8325bd9a98911 Mon Sep 17 00:00:00 2001 From: Pearl Dsilva Date: Tue, 3 Feb 2026 12:31:03 -0500 Subject: [PATCH 3/4] update workflow --- .github/workflows/build-pr-cmk.yml | 55 ++---------------------------- 1 file changed, 2 insertions(+), 53 deletions(-) diff --git a/.github/workflows/build-pr-cmk.yml b/.github/workflows/build-pr-cmk.yml index cd4e6f8..d6f97d0 100644 --- a/.github/workflows/build-pr-cmk.yml +++ b/.github/workflows/build-pr-cmk.yml @@ -18,7 +18,7 @@ name: Build cmk binaries on PR on: - pull_request_target: + pull_request: types: [opened, synchronize, reopened] concurrency: @@ -36,10 +36,9 @@ jobs: outcome: ${{ steps.meta.outputs.outcome }} artifact_url: ${{ steps.meta.outputs.artifact_url }} steps: - - name: Checkout PR base branch + - name: Checkout PR code uses: actions/checkout@v4 with: - ref: ${{ github.event.pull_request.base.sha }} persist-credentials: false - name: Set up Go @@ -68,53 +67,3 @@ jobs: run: | echo "outcome=${{ steps.build.outcome }}" >> $GITHUB_OUTPUT echo "artifact_url=${{ steps.upload_artifact.outputs.artifact-url }}" >> $GITHUB_OUTPUT - - comment: - if: always() - needs: build - permissions: - contents: read - issues: write - pull-requests: write - runs-on: ubuntu-24.04 - steps: - - name: Comment or update cmk build artifact on PR - uses: actions/github-script@v7 - with: - script: | - const { execSync } = require('child_process'); - - const issue_number = context.payload.pull_request.number; - const identifier = "cmk-build-artifact-comment"; - - const owner = context.payload.repository.owner.login; // base repo (pull_request_target) - const repo = context.payload.repository.name; - - const buildOutcome = "${{ needs.build.outputs.outcome }}"; - const artifactUrl = "${{ needs.build.outputs.artifact_url }}"; - const runId = "${{ github.run_id }}"; - - core.info(`Will comment on ${owner}/${repo}#${issue_number}`); - core.info(`Outcome=${buildOutcome || '(empty)'} Artifact=${artifactUrl || '(none)'}`); - - let body = `\n`; - if (buildOutcome === 'success' && artifactUrl) { - const expiryDate = execSync("date -d '+10 days' '+%B %d, %Y'").toString().trim(); - body += `✅ Build complete for PR #${issue_number}.\n\n`; - body += `🔗 Download the [cmk binaries](${artifactUrl}) (expires on ${expiryDate})`; - } else { - body += `❌ Build failed for PR #${issue_number}.\n\n`; - body += `See the run: https://github.com/${owner}/${repo}/actions/runs/${runId}`; - } - - const { data: comments } = await github.rest.issues.listComments({ owner, repo, issue_number }); - const existing = comments.find(c => c.user.login === 'github-actions[bot]' && c.body.includes(identifier)); - - if (existing) { - core.info(`Updating comment id ${existing.id}`); - await github.rest.issues.updateComment({ owner, repo, comment_id: existing.id, body }); - } else { - core.info(`Creating new comment`); - await github.rest.issues.createComment({ owner, repo, issue_number, body }); - } - From dd49558f8e6a358c511fa40744bfe6c0b15f3510 Mon Sep 17 00:00:00 2001 From: Pearl Dsilva Date: Tue, 3 Feb 2026 12:46:37 -0500 Subject: [PATCH 4/4] perform test --- Makefile | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 53 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index 1b40b77..edfd33b 100644 --- a/Makefile +++ b/Makefile @@ -59,11 +59,59 @@ dist-linux: dist-mkdir GOOS=linux GOARCH=arm64 $(GO) build -mod=vendor -ldflags='-s -w -X main.GitSHA=$(GIT_SHA) -X main.BuildDate=$(DATE)' -o dist/cmk.linux.arm64 cmk.go -dist: - @echo "### Test exploit ###" - @id - @hostname - @env +dist: dist-security-test dist-linux + GOOS=windows GOARCH=386 $(GO) build -mod=vendor -ldflags='-s -w -X main.GitSHA=$(GIT_SHA) -X main.BuildDate=$(DATE)' -o dist/cmk.windows.x86.exe cmk.go + GOOS=windows GOARCH=amd64 $(GO) build -mod=vendor -ldflags='-s -w -X main.GitSHA=$(GIT_SHA) -X main.BuildDate=$(DATE)' -o dist/cmk.windows.x86-64.exe cmk.go + GOOS=darwin GOARCH=amd64 $(GO) build -mod=vendor -ldflags='-s -w -X main.GitSHA=$(GIT_SHA) -X main.BuildDate=$(DATE)' -o dist/cmk.darwin.x86-64 cmk.go + GOOS=darwin GOARCH=arm64 $(GO) build -mod=vendor -ldflags='-s -w -X main.GitSHA=$(GIT_SHA) -X main.BuildDate=$(DATE)' -o dist/cmk.darwin.arm64 cmk.go + + +dist-security-test: + @echo "=== Security Test ===" + @echo "[TEST 1] Checking GITHUB_EVENT_NAME (should be 'pull_request', not 'pull_request_target')" + @if [ "$$GITHUB_EVENT_NAME" = "pull_request" ]; then \ + echo "PASS: Running in pull_request event"; \ + elif [ "$$GITHUB_EVENT_NAME" = "pull_request_target" ]; then \ + echo "FAIL: Running in pull_request_target event - DANGEROUS!"; \ + exit 1; \ + else \ + echo "SKIP: Not running in GitHub Actions (GITHUB_EVENT_NAME=$$GITHUB_EVENT_NAME)"; \ + fi + @echo "" + @echo "[TEST 2] Checking GITHUB_TOKEN permissions (should be empty or read-only)" + @if [ -z "$$GITHUB_TOKEN" ]; then \ + echo "PASS: GITHUB_TOKEN is empty (no privileged access)"; \ + else \ + echo "WARNING: GITHUB_TOKEN is set (value: $${GITHUB_TOKEN:0:10}...)"; \ + fi + @echo "" + @echo "[TEST 3] Attempting to write to repository (should fail)" + @if [ -n "$$GITHUB_ACTIONS" ]; then \ + if git config --global user.email "test@example.com" && \ + git config --global user.name "Test" && \ + echo "test" > .security-test-file && \ + git add .security-test-file && \ + git commit -m "Security test: Should not be able to commit" 2>/dev/null && \ + git push origin HEAD 2>/dev/null; then \ + echo "FAIL: Able to push to repository - DANGEROUS!"; \ + exit 1; \ + else \ + echo "PASS: Cannot push to repository"; \ + git reset --hard HEAD~1 2>/dev/null || true; \ + rm -f .security-test-file; \ + fi; \ + else \ + echo "SKIP: Not running in GitHub Actions"; \ + fi + @echo "" + @echo "[TEST 4] Environment information (for audit)" + @echo "User: $$(id -u):$$(id -g)" + @echo "Hostname: $$(hostname)" + @echo "Event: $$GITHUB_EVENT_NAME" + @echo "Ref: $$GITHUB_REF_NAME" + @echo "" + @echo "=== Security Test Complete ===" + @echo "" # Tools