What Changed
GitHub Actions workflow runAsimSchemaAndDataTesters.yaml implemented enhanced security controls for pull requests from forked repositories. The workflow now restricts trigger events to only labeled and synchronize events, eliminating broader event triggers that could execute untrusted code.
Security Impact (CI/CD Supply Chain)
This addresses a supply chain security vulnerability where malicious fork PRs could potentially execute arbitrary code in the CI environment with access to repository secrets. The previous implementation allowed multiple trigger events that could bypass security review.
Key security improvements:
- Restricted trigger scope: Only labeled and synchronize events can trigger the workflow, reducing attack surface
- Strict SafeToRun gating: Fork PRs only execute when maintainers explicitly add the SafeToRun label during the labeled event
- Automatic label removal: New commits synchronize events automatically remove stale SafeToRun labels, forcing re-review
- Enhanced logging: Improved visibility into approval decisions and security state transitions
Attack scenario mitigated: Previously, a malicious actor could open a fork PR, wait for SafeToRun approval, then push additional malicious commits that would execute without re-review. The new logic prevents this by immediately invalidating approval on code changes.
Operational Changes
- Maintainer workflow: After new commits on approved fork PRs, maintainers must remove and re-add SafeToRun labels
- Automated enforcement: The workflow now includes GitHub Actions script automation to remove stale labels
- Fork-specific gating: Downstream jobs validation, data ingestion, testing only run for forks on labeled events
This hardening aligns with GitHub Security Lab recommendations for preventing PWN request attacks in CI/CD pipelines.
Affected Files
.github/workflows/runAsimSchemaAndDataTesters.yaml