github-actions[bot] commented on code in PR #62302:
URL: https://github.com/apache/doris/pull/62302#discussion_r3063717706
##########
.github/workflows/opencode-review-runner.yml:
##########
@@ -0,0 +1,223 @@
+name: Code Review Runner
+
+on:
+ workflow_call:
+ inputs:
+ pr_number:
+ required: true
+ type: string
+ head_sha:
+ required: true
+ type: string
+ base_sha:
+ required: true
+ type: string
+
+permissions:
+ pull-requests: write
+ contents: read
+ issues: write
+
+jobs:
+ code-review:
+ runs-on: ubuntu-latest
+ timeout-minutes: 60
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v4
+ with:
+ ref: ${{ inputs.head_sha }}
Review Comment:
Checking out `${{ inputs.head_sha }}` here makes the rest of this job run
against untrusted PR contents, but this reusable workflow is invoked from
`issue_comment` with `secrets: inherit`. That is a concrete
privilege-escalation path for fork PRs: the contributor can change `AGENTS.md`
or `.claude/skills/code-review/SKILL.md`, and the prompt later requires
OpenCode to read and follow those files from the checked-out workspace while
`GH_TOKEN` and `CODE_REVIEW_ZCLLL_COPILOT_OPENCODE_KEY` are available. In that
scenario the model can be steered into exfiltrating credentials or performing
arbitrary PR writes. The trusted review instructions need to come from the base
repository revision only, or this job must avoid exposing secrets/write
permissions when operating on head-controlled content.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
