Skip to content

ci: harden build-guest manual release workflow#62

Merged
kvinwang merged 1 commit into
mainfrom
codex/propose-fix-for-release-workflow-vulnerability
May 9, 2026
Merged

ci: harden build-guest manual release workflow#62
kvinwang merged 1 commit into
mainfrom
codex/propose-fix-for-release-workflow-vulnerability

Conversation

@h4x3rotab

Copy link
Copy Markdown
Contributor

Motivation

  • The manual build-guest workflow could be dispatched against an arbitrary branch/ref and would tag and publish releases from that unreviewed ref, creating a supply-chain authorization risk.
  • The change aims to prevent unreviewed refs from producing official release artifacts while preserving the ability to run build-only workflows.

Description

  • Split release operations into a dedicated release job that runs only when a non-empty tag is provided and the workflow is dispatched from the repository default branch.
  • Added environment: release to require environment approval for releases and limited job permissions so the build job has contents: read and the release job has contents: write.
  • Explicitly check out the repository default branch in the release job and download artifacts produced by the build job.
  • Validate the supplied tag with a strict version-like regex before creating and pushing the tag and publishing the release.

Testing

  • Inspected the modified workflow with git diff -- .github/workflows/build-guest.yml to verify the intended changes were applied successfully.
  • Attempted to run actionlint .github/workflows/build-guest.yml but actionlint was not installed in the environment, so static linting was not executed.
  • Printed the updated workflow file to confirm the job gates, permissions, checkout ref, artifact download, and tag validation steps are present and syntactically correct.

Codex Task

@kvinwang kvinwang left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kvinwang kvinwang merged commit d2fb428 into main May 9, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants