diff --git a/.github/workflows/gemini-invoke.yml b/.github/workflows/gemini-invoke.yml index 11bc2c6..27649bc 100644 --- a/.github/workflows/gemini-invoke.yml +++ b/.github/workflows/gemini-invoke.yml @@ -44,8 +44,9 @@ jobs: id: 'run_gemini' uses: 'google-github-actions/run-gemini-cli@v0' # ratchet:exclude env: - TITLE: '${{ github.event.pull_request.title || github.event.issue.title }}' - DESCRIPTION: '${{ github.event.pull_request.body || github.event.issue.body }}' + # TITLE and DESCRIPTION intentionally omitted: passing raw GitHub event + # content as env vars is a prompt-injection vector. The agent should + # fetch PR/issue content via the GitHub API using ISSUE_NUMBER. EVENT_NAME: '${{ github.event_name }}' GITHUB_TOKEN: '${{ steps.mint_identity_token.outputs.token || secrets.GITHUB_TOKEN || github.token }}' IS_PULL_REQUEST: '${{ !!github.event.pull_request }}' diff --git a/.github/workflows/gemini-review.yml b/.github/workflows/gemini-review.yml index 4bd4470..a6ddbed 100644 --- a/.github/workflows/gemini-review.yml +++ b/.github/workflows/gemini-review.yml @@ -46,8 +46,8 @@ jobs: id: 'gemini_pr_review' env: GITHUB_TOKEN: '${{ steps.mint_identity_token.outputs.token || secrets.GITHUB_TOKEN || github.token }}' - ISSUE_TITLE: '${{ github.event.pull_request.title || github.event.issue.title }}' - ISSUE_BODY: '${{ github.event.pull_request.body || github.event.issue.body }}' + # ISSUE_TITLE and ISSUE_BODY intentionally omitted: prompt-injection vector. + # Agent must fetch content via GitHub API using PULL_REQUEST_NUMBER. PULL_REQUEST_NUMBER: '${{ github.event.pull_request.number || github.event.issue.number }}' REPOSITORY: '${{ github.repository }}' ADDITIONAL_CONTEXT: '${{ inputs.additional_context }}' diff --git a/.github/workflows/release-cherry-pick.yml b/.github/workflows/release-cherry-pick.yml index ac5e5c0..3daab1d 100644 --- a/.github/workflows/release-cherry-pick.yml +++ b/.github/workflows/release-cherry-pick.yml @@ -18,7 +18,7 @@ jobs: cherry-pick: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: release/candidate fetch-depth: 0 diff --git a/.github/workflows/release-cut.yml b/.github/workflows/release-cut.yml index 8dbed40..00d624c 100644 --- a/.github/workflows/release-cut.yml +++ b/.github/workflows/release-cut.yml @@ -18,7 +18,7 @@ jobs: cut-release: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ inputs.commit_sha || 'main' }} diff --git a/.github/workflows/release-finalize.yml b/.github/workflows/release-finalize.yml index b9d6203..8214a02 100644 --- a/.github/workflows/release-finalize.yml +++ b/.github/workflows/release-finalize.yml @@ -29,7 +29,7 @@ jobs: echo "is_release_pr=false" >> $GITHUB_OUTPUT fi - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 if: steps.check.outputs.is_release_pr == 'true' with: ref: release/candidate diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 791d84a..19a7eb5 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -30,7 +30,7 @@ jobs: echo "exists=false" >> $GITHUB_OUTPUT fi - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 if: steps.check.outputs.exists == 'true' with: ref: release/candidate diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml index 95ee326..5293967 100644 --- a/.github/workflows/release-publish.yml +++ b/.github/workflows/release-publish.yml @@ -28,7 +28,7 @@ jobs: echo "version=$VERSION" >> $GITHUB_OUTPUT echo "Publishing version: $VERSION" - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Install uv uses: astral-sh/setup-uv@v4 @@ -36,7 +36,7 @@ jobs: version: "latest" - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: "3.11" diff --git a/.github/workflows/unit-tests.yaml b/.github/workflows/unit-tests.yaml index e3769d5..0d2cbe7 100644 --- a/.github/workflows/unit-tests.yaml +++ b/.github/workflows/unit-tests.yaml @@ -16,10 +16,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: ${{ matrix.python-version }}