Skip to content

Security: Add fork PR safety gate to prevent ACE vulnerability#1

Merged
coley-angel merged 1 commit into
masterfrom
winton/fork-safety-gate-OPSTK-16743
Jun 15, 2026
Merged

Security: Add fork PR safety gate to prevent ACE vulnerability#1
coley-angel merged 1 commit into
masterfrom
winton/fork-safety-gate-OPSTK-16743

Conversation

@opstk-cicd-auth

Copy link
Copy Markdown

Security Fix: Prevent Fork PR Arbitrary Code Execution

TLDR: Add fork safety gate to prevent CRITICAL ACE vulnerability (OPSTK-16743, OPSTK-16732 Finding 1).

Vulnerability:

  • Workflow runs on pull_request events with contents: write permission AND uses: ./ (local action execution)
  • This allows fork PRs to execute arbitrary code with write access to the repository

Fix:
Add conditional gate to the git-auto-commit job:

if: github.event.pull_request.head.repo.full_name == github.repository

This ensures the job only runs on internal PRs (same repo), not fork PRs.

Risk Assessment:

  • Fix class: workflow-yml-change
  • Risk: medium
  • Action: comment-only per Ops Stack security policy (no direct push to master)
  • Paths modified: .github/workflows/git-auto-commit.yml

Testing:

  • Fork PR: Job will be skipped (safe)
  • Internal PR: Job runs normally (no behavior change)

References:

  • Jira: OPSTK-16743 (this ticket)
  • Parent: OPSTK-16732 (GitHub Actions security umbrella)
  • STE: OPSTK-16733 (source finding)

Automated fix by Winton (opstk-cicd-auth GitHub App) on behalf of OPSTK-16743.
Human review required before merge.

Prevent arbitrary code execution vulnerability in git-auto-commit workflow.

Vulnerability: pull_request trigger + uses: ./ + contents: write allows
fork PRs to execute arbitrary local action code with write permissions.

Fix: Add conditional gate to only run on internal PRs (same repo).

Risk gate verdict: workflow-yml-change / medium / comment-only
(proper PR review required, no direct push to master)

Refs: OPSTK-16743, OPSTK-16732 (Finding 1), OPSTK-16733 (STE source)
@coley-angel coley-angel marked this pull request as ready for review June 15, 2026 14:50
@coley-angel coley-angel merged commit 43734b3 into master Jun 15, 2026
4 of 5 checks passed
@coley-angel coley-angel deleted the winton/fork-safety-gate-OPSTK-16743 branch June 15, 2026 14:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant