fix(security): fetch gateway targets at runtime#96
Conversation
Co-Authored-By: Codex <noreply@openai.com>
🤖 Codex PR Review🚫 Merge blocked: 1 serious issue(s) found in high-risk files 🚫 Blocking IssuesThese issues must be fixed before this PR can be merged: 1. 🟠 [HIGH] Bug in
|
Co-Authored-By: Codex <noreply@openai.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d8b72228ba
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| with: | ||
| script: | | ||
| const raw = ${{ toJSON(vars.IB_GATEWAY_TARGETS_JSON) }}; | ||
| const response = await github.rest.actions.getRepoVariable({ |
There was a problem hiding this comment.
Provide a Variables-capable token for getRepoVariable
In these workflow jobs the default github-script token is the job GITHUB_TOKEN; setting actions: read does not grant the repository “Variables” permission required by GET /repos/{owner}/{repo}/actions/variables/{name}. As soon as any capture/diagnose/maintenance run tries to resolve IB_GATEWAY_TARGETS_JSON, this call will fail with 403 instead of producing the matrix, so the workflows never reach the gateway steps; use vars safely or pass a GitHub App/PAT token with Variables read.
Useful? React with 👍 / 👎.
| with: | ||
| script: | | ||
| const raw = ${{ toJSON(vars.IB_GATEWAY_TARGETS_JSON) }}; | ||
| const response = await github.rest.actions.getRepoVariable({ |
There was a problem hiding this comment.
Preserve org-level IB_GATEWAY_TARGETS_JSON lookup
When IB_GATEWAY_TARGETS_JSON is defined as an organization variable shared with this repository, the previous vars.IB_GATEWAY_TARGETS_JSON lookup resolved it, but this REST call only fetches repository variables and will return not found before the matrix is built. This regresses org-level deployments even if the token permission issue is fixed; either keep using the vars context safely or fall back to the organization-variable endpoint.
Useful? React with 👍 / 👎.
|
Closed after live read-only resolver validation confirmed GITHUB_TOKEN receives HTTP 403 for repository Variables API. A secure replacement requires a separately approved secret/token migration; no unsafe fallback will be merged. |
Summary
github-scriptinputsValidation
bash tests/test_install_2fa_bot_watcher.shbash tests/test_wait_for_ib_gateway_ready.shbash tests/test_workflow_shared_config.shbash tests/test_docker_compose_ports.shbash tests/test_gateway_recovery_scripts.shbash tests/test_run_override_api_config.shactionlint .github/workflows/*.ymlgit diff --check