Skip to content

Conversation

thst-nordic
Copy link
Contributor

pip install requirements-actions.txt from base branch instead of untrusted PR

Signed-off-by: Thomas Stilwell [email protected]

@thst-nordic thst-nordic changed the title [nrf noup] ci: prevent PR author from executing malicious pip pkg [nrf noup] ci: prevent PR author from installing python pkgs Aug 29, 2025
@thst-nordic thst-nordic changed the title [nrf noup] ci: prevent PR author from installing python pkgs [nrf noup] ci: prevent PRs from installing python pkgs Aug 29, 2025
Comment on lines 35 to +43
- name: Checkout the code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
path: zephyrproject/zephyr
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0
persist-credentials: false

- name: west setup

Check failure

Code scanning / CodeQL

Checkout of untrusted code in trusted context High

Potential execution of untrusted code on a privileged workflow (
pull_request_target
)
@thst-nordic thst-nordic force-pushed the gha-manifest branch 3 times, most recently from 1fc4c8f to b4247ea Compare August 29, 2025 11:51
@thst-nordic thst-nordic force-pushed the gha-manifest branch 5 times, most recently from cf1f554 to 610fd2a Compare August 29, 2025 14:36
pip install requirements-actions.txt from base branch instead of untrusted PR
During install a malicious package can execute code in setup.py
Solution is to split manifest-check and apply-labels

Signed-off-by: Thomas Stilwell <[email protected]>
@thst-nordic
Copy link
Contributor Author

This action was disabled until a proper fix is merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant