Severity: High
Summary
The code-reviewer.yml workflow uses brainstormforce/pull-request-reviewer@master — a mutable branch reference — instead of a pinned SHA commit hash. If the master branch of that action repository is compromised (via account takeover, force-push, or malicious contribution), the malicious code will silently execute in this repository's CI with access to two secrets.
Location
File: .github/workflows/code-reviewer.yml, lines 18 and 36
- name: WRITE PR SUMMARY
uses: brainstormforce/pull-request-reviewer@master
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}The same pattern is repeated for the CODE_REVIEW job at line 36.
Impact
- A single compromised push to the upstream action's
master branch would immediately execute malicious code in this repository's CI.
- The attacker would gain access to:
secrets.GITHUB_TOKEN — scoped by the workflow's permissions: write-all (see related issue), allowing repository modifications.secrets.OPENAI_API_KEY — enabling API abuse and key exfiltration.
- There is no audit trail for which exact commit of the action ran on any given workflow execution when using branch refs.
Mitigating Factor
brainstormforce/pull-request-reviewer is an internal first-party action owned by the same organization, not a third-party dependency. This means the attack requires compromising an org-internal repository, which is a higher barrier than compromising an arbitrary public action.
Recommended Fix
Pin the action to a full 40-character SHA commit hash:
- name: WRITE PR SUMMARY
uses: brainstormforce/pull-request-reviewer@<full-40-char-sha>
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}To find the current SHA:
gh api repos/brainstormforce/pull-request-reviewer/commits/master --jq .sha
Add a comment next to the SHA for maintainability:
uses: brainstormforce/pull-request-reviewer@abc123def456 # v1.2.0
Context
Identified during a modular security audit. Other workflows in this repository (claude.yml, claude-code-review.yml) correctly use versioned tags (@v1) from their respective action repositories.
Found by automated security audit — VULN-02
Severity: High
Summary
The
code-reviewer.ymlworkflow usesbrainstormforce/pull-request-reviewer@master— a mutable branch reference — instead of a pinned SHA commit hash. If themasterbranch of that action repository is compromised (via account takeover, force-push, or malicious contribution), the malicious code will silently execute in this repository's CI with access to two secrets.Location
File:
.github/workflows/code-reviewer.yml, lines 18 and 36The same pattern is repeated for the
CODE_REVIEWjob at line 36.Impact
masterbranch would immediately execute malicious code in this repository's CI.secrets.GITHUB_TOKEN— scoped by the workflow'spermissions: write-all(see related issue), allowing repository modifications.secrets.OPENAI_API_KEY— enabling API abuse and key exfiltration.Mitigating Factor
brainstormforce/pull-request-revieweris an internal first-party action owned by the same organization, not a third-party dependency. This means the attack requires compromising an org-internal repository, which is a higher barrier than compromising an arbitrary public action.Recommended Fix
Pin the action to a full 40-character SHA commit hash:
To find the current SHA:
Add a comment next to the SHA for maintainability:
Context
Identified during a modular security audit. Other workflows in this repository (
claude.yml,claude-code-review.yml) correctly use versioned tags (@v1) from their respective action repositories.Found by automated security audit — VULN-02