Skip to content

Fix script injection (S7630) in maintenance workflow Record outputs steps#39578

Merged
pelikhan merged 4 commits into
mainfrom
copilot/fix-injection-warnings-sonar
Jun 16, 2026
Merged

Fix script injection (S7630) in maintenance workflow Record outputs steps#39578
pelikhan merged 4 commits into
mainfrom
copilot/fix-injection-warnings-sonar

Conversation

Copilot AI commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

${{ inputs.operation }} and ${{ inputs.run_url }} were interpolated directly into shell run blocks in the generated maintenance workflow, making them GitHub Actions script-injection sinks (Sonar githubactions:S7630 / CodeQL actions/expression-injection).

Changes

  • pkg/workflow/maintenance_workflow_yaml.go — two Record outputs steps fixed:
    • run_operation job: inputs.operation moved to env var
    • apply_safe_outputs job: inputs.run_url moved to env var
  • pkg/workflow/side_repo_maintenance.go — same apply_safe_outputs pattern fixed

Applies the env-indirection pattern already used by the adjacent Run operation and Apply Safe Outputs steps in both files:

# Before (vulnerable)
- name: Record outputs
  id: record
  run: echo "run_url=${{ inputs.run_url }}" >> "$GITHUB_OUTPUT"

# After
- name: Record outputs
  id: record
  env:
    GH_AW_RUN_URL: ${{ inputs.run_url }}
  run: echo "run_url=$GH_AW_RUN_URL" >> "$GITHUB_OUTPUT"

Downstream consumers of generated workflows receive the fix on their next gh aw compile.

Copilot AI and others added 2 commits June 16, 2026 15:48
@pelikhan
Fix script injection in maintenance workflow Record outputs steps
eb16170 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Fix script injection in maintenance workflow Record outputs steps
49c0544 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix injection warnings from Sonar in generated maintenance workflow Fix script injection (S7630) in maintenance workflow Record outputs steps Jun 16, 2026
Copilot AI requested a review from pelikhan June 16, 2026 15:58
@pelikhan pelikhan marked this pull request as ready for review June 16, 2026 16:01
Copilot AI review requested due to automatic review settings June 16, 2026 16:01
Copilot AI reviewed Jun 16, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR mitigates GitHub Actions expression/script injection sinks (Sonar githubactions:S7630 / CodeQL actions/expression-injection) in the generated maintenance workflow by avoiding direct interpolation of inputs.* values into shell run: blocks.

Changes:

  • Updates two generated Record outputs steps to pass inputs.operation / inputs.run_url via env and reference them as shell variables in run:.
  • Applies the same env indirection fix to the side-repo maintenance workflow generator.
  • Regenerates the objective-impact-report compiled lock workflow metadata (body hash).
Show a summary per file
File Description
pkg/workflow/maintenance_workflow_yaml.go Moves inputs.operation and inputs.run_url out of run: interpolation in Record outputs steps by introducing env variables.
pkg/workflow/side_repo_maintenance.go Applies the same inputs.run_urlenv indirection pattern in the generated Record outputs step.
.github/workflows/objective-impact-report.lock.yml Updates generated metadata body_hash (appears unrelated to the maintenance workflow injection fix).

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 3/3 changed files
  • Comments generated: 1

Comment thread .github/workflows/objective-impact-report.lock.yml
@@ -1,4 +1,4 @@
# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"e357ecaf2b1bac669b156ce98fc34afb31faf80acf85b19f4b1cd9069ab7aca6","body_hash":"24d3f0499ec3d16953e9b5b48edfdc9b9887e87b9de4c92c2955b04698b04122","strict":true,"agent_id":"copilot","engine_versions":{"copilot":"1.0.60"}}
# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"e357ecaf2b1bac669b156ce98fc34afb31faf80acf85b19f4b1cd9069ab7aca6","body_hash":"978c9220dcee75830e508fe03ceb61df8818787eac3aa9325c1624699a03a99c","strict":true,"agent_id":"copilot","engine_versions":{"copilot":"1.0.60"}}
@github-actions

github-actions Bot commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

@copilot review all comments and address unresolved review feedback.

Generated by 👨‍🍳 PR Sous Chef · 53 AIC · ⌖ 1.05 AIC · ⊞ 17.4K ·

@pelikhan pelikhan merged commit 27d620a into main Jun 16, 2026
@pelikhan pelikhan deleted the copilot/fix-injection-warnings-sonar branch June 16, 2026 16:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pelikhan