test: EvalOpsBot relay canary fixture

[haasonsaas]

Canary PR for the EvalOpsBot org-webhook requested-review path. This intentionally adds an unsafe workflow fixture so the deep IAM lens has a deterministic finding surface.

Test Plan:

• Request review from EvalOpsBot.
• Verify the org webhook dispatches evalops-pr-lens-review.
• Verify EvalOpsBot posts or updates the PR lens review signal.

[EvalOpsBot]

EvalOps PR lens review

High-confidence findings only. Threshold: 0.82.
Run: https://github.com/evalops/.github/actions/runs/26135712754

1. P0 0.98 iam-blast-radius: pull_request_target with write-all checks out untrusted PR head

   • Location: .github/workflows/evalopsbot-relay-canary-fixture.yml:4
   • Check: evalops-pr-lens/iam-blast-radius
   • The new workflow triggers on pull_request_target (which runs in the base repo context with access to secrets) and uses permissions: write-all, then checks out the PR head SHA via actions/checkout with ref: github.event.pull_request.head.sha. Any subsequent build/script step from an attacker-controlled PR would execute with a write-all GITHUB_TOKEN, allowing repo write, packages, actions, and potentially org-level escalation through downstream steps. Even though the only current step is gh pr comment, the checked-out untrusted code plus pwn-ready token is the classic pwn-request pattern. Fix: remove pull_request_target (use pull_request), or drop the head checkout entirely, scope permissions: to the minimum (e.g., pull-requests: write only), and never execute code from the PR head under pull_request_target. If a canary is needed, gate it behind a label/environment with required reviewers and avoid checking out head SHA.

2. P0 0.95 iam-blast-radius: permissions: write-all grants excessive GITHUB_TOKEN scope

   • Location: .github/workflows/evalopsbot-relay-canary-fixture.yml:6
   • Check: evalops-pr-lens/iam-blast-radius
   • permissions: write-all grants the GITHUB_TOKEN every available scope (contents, packages, actions, id-token, etc.) for this workflow. Combined with pull_request_target this materially expands blast radius beyond what the documented purpose (posting a PR comment) requires. Fix: replace with least-privilege, e.g. permissions: pull-requests: write contents: read and remove id-token/actions/packages write implicitly granted by write-all.

Repo: evalops/.github PR: #97

[haasonsaas]

EvalOpsBot org-webhook relay canary complete: webhook delivery 3820890163140100000 dispatched central run 26135712754, EvalOpsBot posted the expected deep review findings, and evalops-pr-lens/meta-review failed the canary head as expected. Closing the intentionally unsafe fixture.