fix(ci): block fork code on self-hosted Swift runner#4102
fix(ci): block fork code on self-hosted Swift runner#4102QuantumExplorer wants to merge 1 commit into
Conversation
|
Warning Review limit reached
Next review available in: 56 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
✅ Review complete (commit 4b0efec) |
thepastaclaw
left a comment
There was a problem hiding this comment.
Code Review
This PR adds guards to keep fork pull requests off the persistent Swift self-hosted runner, plus an offline consistency checker, but every control is evaluated from fork-controlled PR content. The verifier also confirmed a trusted-fork policy inconsistency and a fragile regex-based checker.
Source (experiment sonnet-primary-opus-quarter-sample-20260710, cohort sonnet_primary, bucket 3): reviewers codex/general=gpt-5.6-sol(completed), sonnet5/general=claude-sonnet-5(completed); verifier=verifier-sonnet5-4102-1783889464=claude-sonnet-5; orchestrator=openai/gpt-5.6-sol reasoning=high (orchestration-only, not reviewer/verifier).
🔴 1 blocking | 🟡 1 suggestion(s) | 💬 1 nitpick(s)
🤖 Prompt for all review comments with AI agents
These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.
In `.github/workflows/tests.yml`:
- [BLOCKING] .github/workflows/tests.yml:348-357: Guard lives entirely inside fork-controlled content, so it doesn't close DS-CAND-103 against a real attacker
For pull_request events, GitHub runs workflow YAML from the PR merge commit, and the local reusable workflow resolves from that same commit. A malicious fork therefore controls the caller guard, the callee guard, and the checked-out policy checker, and can weaken all three together. Keep these checks as defense in depth, but close the trust boundary with a server-side control the PR cannot edit, such as required environment approval or repository/organization approval for outside-collaborator workflow runs.
In `.github/workflows/swift-sdk-build.yml`:
- [SUGGESTION] .github/workflows/swift-sdk-build.yml:9-11: New guard omits the repo's established `thepastaclaw` trusted-fork exception
Sibling self-hosted workflows allow `thepastaclaw`-owned fork PRs, while this new Swift guard only accepts same-repository PRs. If that stricter policy is intentional, document it; otherwise match the established exception consistently in the caller, callee, and checker.
| if: >- | ||
| ${{ always() | ||
| && (github.event_name != 'pull_request' | ||
| || github.event.pull_request.head.repo.full_name == github.repository) | ||
| && needs.changes.outputs.swift-sdk-changed == 'true' | ||
| && needs.changes.result != 'failure' | ||
| && needs.rs-workspace-tests.result != 'failure' | ||
| && needs.rs-wallet-tests.result != 'failure' }} | ||
| secrets: inherit | ||
| uses: ./.github/workflows/swift-sdk-build.yml |
There was a problem hiding this comment.
🔴 Blocking: Guard lives entirely inside fork-controlled content, so it doesn't close DS-CAND-103 against a real attacker
For pull_request events, GitHub runs workflow YAML from the PR merge commit, and the local reusable workflow resolves from that same commit. A malicious fork therefore controls the caller guard, the callee guard, and the checked-out policy checker, and can weaken all three together. Keep these checks as defense in depth, but close the trust boundary with a server-side control the PR cannot edit, such as required environment approval or repository/organization approval for outside-collaborator workflow runs.
source: ['codex-general', 'sonnet5-general']
| if: >- | ||
| github.event_name != 'pull_request' | ||
| || github.event.pull_request.head.repo.full_name == github.repository |
There was a problem hiding this comment.
🟡 Suggestion: New guard omits the repo's established thepastaclaw trusted-fork exception
Sibling self-hosted workflows allow thepastaclaw-owned fork PRs, while this new Swift guard only accepts same-repository PRs. If that stricter policy is intentional, document it; otherwise match the established exception consistently in the caller, callee, and checker.
source: ['sonnet5-general']
| ( | ||
| index | ||
| for index, line in enumerate(lines) | ||
| if start_pattern.match(line.rstrip("\n")) | ||
| ), | ||
| None, | ||
| ) | ||
| if start is None: | ||
| return "" | ||
|
|
||
| end = len(lines) | ||
| for index in range(start + 1, len(lines)): | ||
| if sibling_pattern.match(lines[index].rstrip("\n")): | ||
| end = index | ||
| break | ||
| return "".join(lines[start:end]) | ||
|
|
||
|
|
||
| def job_property(block: str, property_name: str) -> str: | ||
| """Return one job-level property, excluding step-level lookalikes.""" | ||
| lines = block.splitlines(keepends=True) | ||
| start_pattern = re.compile(rf"^ {re.escape(property_name)}:\s*(?:.*)?$") | ||
| sibling_pattern = re.compile(r"^ [A-Za-z0-9_-]+:\s*(?:.*)?$") | ||
|
|
||
| start = next( | ||
| ( | ||
| index | ||
| for index, line in enumerate(lines) | ||
| if start_pattern.match(line.rstrip("\n")) | ||
| ), | ||
| None, | ||
| ) | ||
| if start is None: | ||
| return "" | ||
|
|
||
| end = len(lines) | ||
| for index in range(start + 1, len(lines)): | ||
| if sibling_pattern.match(lines[index].rstrip("\n")): | ||
| end = index | ||
| break | ||
| return "".join(lines[start:end]) | ||
|
|
||
|
|
||
| def normalized_if(block: str) -> str: | ||
| """Normalize one job condition for an exact policy comparison.""" | ||
| condition = job_property(block, "if") |
There was a problem hiding this comment.
💬 Nitpick: Regex-based YAML folding is fragile to harmless reformatting
The checker depends on exact indentation and manual line folding, so semantically neutral YAML reformatting can cause false CI failures. It fails closed, but structured YAML parsing would reduce maintenance risk.
source: ['sonnet5-general']
Issue being fixed or feature implemented
Fixes DS-CAND-103: fork pull requests could route repository-controlled Swift SDK code onto the persistent self-hosted macOS runner.
What was done?
How Has This Been Tested?
Breaking Changes
None. Same-repository pull requests, pushes, schedules, and manual runs preserve their existing eligibility. Fork pull requests no longer allocate the persistent Swift self-hosted runner.
Checklist:
For repository code-owners and collaborators only