janhoy opened a new pull request, #4453: URL: https://github.com/apache/solr/pull/4453
The `renovate-changelog.yml` workflow used `pull_request_target` to auto-generate changelog entries for Renovate (solrbot) PRs. This trigger is flagged as a security anti-pattern: it runs with write access to `SOLRBOT_GITHUB_TOKEN` while also checking out code from a fork branch. We had no reason to believe the existing workflow is in insecure in practice, for our particular use, but this is done to align with best practices. This PR replaces existing `renovate-changelog.yml` workflow with the two-stage `workflow_run` pattern recommended by GitHub's security hardening guide: **Stage 1** (`renovate-changelog-prepare.yml`, `pull_request` trigger, no secrets): - Checks out the **base repo** at the base branch — never fork code - Runs the trusted `generate-renovate-changelog.py` script - Uploads the generated `changelog/unreleased/PR#NNN-*.yml` and PR metadata as an artifact **Stage 2** (`renovate-changelog-push.yml`, `workflow_run` trigger, has `SOLRBOT_GITHUB_TOKEN`): - Triggers only when Stage 1 succeeds **and** for `solrbot/apache-_-solr` (prevents spurious runs on non-solrbot PRs) - Downloads the artifact; parses metadata with `grep`/`cut` (never `source`) - Validates `HEAD_REPO`, `PR_NUMBER`, and `HEAD_REF` before any write operation - Clones the fork branch using a git credential store so the token never appears in the process list or command line - Removes stale `PR#NNN-*.yml` files (handles slug changes), copies the new file, commits and pushes No changes to `.github/scripts/generate-renovate-changelog.py`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
