Skip to content

fix(security): make same-repo gate on claude-auto-fix-ci.yml explicit#1046

Open
aaronjmars wants to merge 1 commit into
supermemoryai:mainfrom
aaronjmars:security/auto-fix-workflow-run-same-repo-gate
Open

fix(security): make same-repo gate on claude-auto-fix-ci.yml explicit#1046
aaronjmars wants to merge 1 commit into
supermemoryai:mainfrom
aaronjmars:security/auto-fix-workflow-run-same-repo-gate

Conversation

@aaronjmars
Copy link
Copy Markdown

@aaronjmars aaronjmars commented Jun 4, 2026

Summary

.github/workflows/claude-auto-fix-ci.yml runs on workflow_run after the public-input CI workflow completes, then checks out PR code (ref: github.event.workflow_run.head_branch) and runs bun install + Claude with Bash(*) in a context that has access to repository secrets (CLAUDE_CODE_OAUTH_TOKEN, SUPERMEMORY_API_KEY, write-scoped GITHUB_TOKEN). This is the canonical "pwn request" pattern documented by GitHub Security Lab — checking out untrusted code in a privileged workflow.

The existing gate github.event.workflow_run.pull_requests[0] happens to be empty for fork PRs today (documented GitHub behavior), but the security boundary is implicit and brittle to future GitHub behavior changes. This PR makes the boundary explicit.

Impact

In the current implementation, with a workflow_run trigger plus untrusted-PR checkout plus bun install, a PR whose package manifest carries a postinstall script would execute that script in the privileged workflow context. Today the implicit guard prevents that for fork PRs; the addition here makes the same guarantee explicit and surface-visible so the security intent doesn't depend on a documented-but-non-contractual GitHub behavior.

Residual risk (out of scope for this PR): the workflow still trusts collaborators who can push branches to this repository. That trust boundary is intentional — auto-fix has to be able to read and modify PR code by design — but is worth documenting separately in a SECURITY.md or contributor guide.

Location

.github/workflows/claude-auto-fix-ci.yml:18-31

Fix

Adds an explicit head-repository identity check to the job-level if: condition:

github.event.workflow_run.head_repository.full_name == github.event.workflow_run.repository.full_name

This means the job only runs when the failing CI run originated from a branch in this repository, not a fork. Same behavior as today via the implicit pull_requests[0] guard, but encoded as a first-class gate that any future workflow editor will see and not accidentally remove.

A multi-line YAML comment above the condition documents the threat model and links to the GitHub Security Lab article on pwn-request mitigation, so the next person to touch this file understands why the gate exists.

Detected by

Aeon + Semgrep p/security-audit (rule yaml.github-actions.security.workflow-run-target-code-checkout).

  • Severity: medium (defense-in-depth — the implicit pull_requests[0] gate covers the most exploitable fork-PR case today, but the explicit gate removes the reliance on undocumented behavior)
  • CWE-913 (Improper Control of Dynamically-Managed Code Resources)

Verification

python3 -c "import yaml; yaml.safe_load(open('claude-auto-fix-ci.yml'))" parses cleanly. The if: condition still triggers on the intended same-repo failing-PR case (verified by re-reading the parsed condition in the YAML AST). All steps, permissions, and secrets references unchanged.

Filed by Aeon.

fix(security): make same-repo gate on claude-auto-fix-ci.yml explicit
76ed964 
workflow_run + checkout of github.event.workflow_run.head_branch + bun
install runs in a base-repo context with access to repository secrets
(CLAUDE_CODE_OAUTH_TOKEN, SUPERMEMORY_API_KEY, write-scoped GITHUB_TOKEN)
— the canonical "pwn request" pattern. Today the implicit
pull_requests[0] gate happens to skip fork PRs (documented but
non-contractual GitHub behavior), but the security boundary should be
visible in the workflow file. Add an explicit
head_repository.full_name == repository.full_name check plus an inline
comment so the gate isn't accidentally removed by a future editor.

Detected by Aeon + Semgrep p/security-audit
(yaml.github-actions.security.workflow-run-target-code-checkout).
Severity: medium · CWE-913
@graphite-app graphite-app Bot requested a review from Dhravya June 4, 2026 07:33
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Jun 4, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednext@​16.0.36225915070
Added@​mastra/​core@​1.9.06110092100100
Added@​dnd-kit/​utilities@​3.2.21001007180100
Added@​lobbyside/​react@​0.2.07410010090100
Added@​better-fetch/​fetch@​1.1.21981007582100
Added@​floating-ui/​react@​0.27.19991007686100
Added@​dnd-kit/​core@​6.3.11001007980100
Added@​dnd-kit/​sortable@​10.0.01001007980100
Added@​dnd-kit/​modifiers@​9.0.010010010080100
Added@​google/​generative-ai@​0.24.1991008083100
Updated@​types/​node@​18.19.130 ⏵ 20.19.35100 +110081 +195100
Addedvite@​6.4.196838398100
Updatedreact@​19.2.4 ⏵ 19.2.21001008497100
Updatedreact@​19.2.4 ⏵ 19.2.01001008497100
Added@​pixi/​react@​8.0.59910010086100
Added@​hono/​zod-validator@​0.7.610010010088100
Added@​opennextjs/​cloudflare@​1.17.1981009095100
Added@​modelcontextprotocol/​sdk@​1.27.19910010092100
Added@​modelcontextprotocol/​ext-apps@​1.1.29210010097100
Addedreact-dom@​19.2.21001009298100
Addedreact-dom@​19.2.01001009298100
Added@​cloudflare/​ai-chat@​0.0.79510010096100
Added@​biomejs/​biome@​2.4.610010010098100
Added@​google/​genai@​1.44.09810010098100
Added@​cloudflare/​workers-oauth-provider@​0.2.49810010099100
Addedagents@​0.3.109910010098100

View full report

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Jun 4, 2026

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Critical
Critical CVE: Next.js is vulnerable to RCE in React flight protocol

CVE: GHSA-9qr9-h5gf-34mp Next.js is vulnerable to RCE in React flight protocol (CRITICAL)

Affected versions: >= 14.3.0-canary.77 < 15.0.5; >= 15.1.0-canary.0 < 15.1.9; >= 15.2.0-canary.0 < 15.2.6; >= 15.3.0-canary.0 < 15.3.6; >= 15.4.0-canary.0 < 15.4.8; >= 15.5.0-canary.0 < 15.5.7; >= 16.0.0-canary.0 < 16.0.7

Patched version: 16.0.7

From: apps/memory-graph-playground/package.jsonnpm/next@16.0.3

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@16.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Dhravya Dhravya Awaiting requested review from Dhravya

At least 1 approving review is required to merge this pull request.

Assignees

@aaronjmars aaronjmars

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aaronjmars