Skip to content

chore(ci): use workflow_run pattern for auto integ test to fix PR secret access#37333

Open
ozelalisen wants to merge 4 commits intomainfrom
fix/integ-test-auto-team-check-token
Open

chore(ci): use workflow_run pattern for auto integ test to fix PR secret access#37333
ozelalisen wants to merge 4 commits intomainfrom
fix/integ-test-auto-team-check-token

Conversation

@ozelalisen
Copy link
Copy Markdown
Member

@ozelalisen ozelalisen commented Mar 23, 2026

Reason for this change

pull_request_review trigger has no access to repository secrets for PRs, breaking team membership checks and OIDC auth in the auto integ test workflow.

Description of changes

Split into two-stage workflow_run pattern (matching pr-linter-review-trigger.yml → pr-linter.yml):

  • Stage 1 (integration-test-deployment-auto-trigger.yml): Unprivileged pull_request_review trigger. Runs snapshot check, saves PR metadata as artifacts.
  • Stage 2 (integration-test-deployment-auto.yml): Privileged workflow_run trigger. Downloads artifacts, validates team membership, runs integ tests. Reports results to PR via Checks API for future use as
    required status check.

Describe any new or updated permissions being added

  • actions: read — download cross-workflow artifacts
  • checks: write — report test results to PR via Checks API

Description of how you validated changes

Checklist

@ozelalisen
ci(integ-tests): Refactor auto integ test to workflow_run pattern
7340981 
The pull_request_review trigger has no access to repository secrets
for fork PRs, breaking team membership checks and OIDC auth.

Split into two-stage workflow_run pattern (matching pr-linter):
- Stage 1 (trigger): Unprivileged pull_request_review saves PR
  metadata and snapshot check result as artifacts
- Stage 2 (deployment): Privileged workflow_run downloads artifacts,
  validates team membership with secrets, runs integ tests
@ozelalisen
fix(ci): Add actions:read permission and handle missing artifacts
c25f787 
Add top-level actions:read permission required by actions/download-artifact@v8
when downloading cross-workflow artifacts via run-id. Without this, the
artifact download fails with 403. Matches the pattern in codecov-upload.yml.

Handle the case where the trigger workflow completes without uploading
artifacts (no snapshot changes). Add continue-on-error on the download
step, gate parsing on download success, and propagate has_context output
to skip downstream jobs cleanly.

Add explanatory comment for the 7200-minute timeout value.
@ozelalisen
fix(ci): Address code review findings for auto integ-test workflow
89a0ed2 
- Validate artifact content (pr_number, head_sha, base_sha, reviewer)
  before use in privileged workflow_run context (defense-in-depth)
- Add explicit status: completed to check run PATCH API call
- Normalize job names to snake_case for consistency with existing
  integration-test-deployment.yml workflow
- Align timeout-minutes comment with original workflow description
@github-actions github-actions bot added the p2 label Mar 23, 2026
@aws-cdk-automation aws-cdk-automation requested a review from a team March 23, 2026 13:43
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Mar 23, 2026
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 23, 2026
View reviewed changes
.github/workflows/integration-test-deployment-auto.yml
Comment on lines +176 to +194
env:
GH_TOKEN: ${{ github.token }}
CHECK_ID: ${{ steps.create_check.outputs.check_id }}
TEST_OUTCOME: ${{ steps.run_tests.outcome }}
run: |
if [ "$TEST_OUTCOME" = "success" ]; then
CONCLUSION="success"
TITLE="Integration tests passed"
SUMMARY="All integration tests passed for PR #${{ needs.pr_info.outputs.pr_number }}."
else
CONCLUSION="failure"
TITLE="Integration tests failed"
SUMMARY="Integration tests failed for PR #${{ needs.pr_info.outputs.pr_number }}. See [workflow run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for details."
fi
gh api -X PATCH \
-H "Accept: application/vnd.github+json" \
-f status="completed" \
-f conclusion="$CONCLUSION" \
-f "output[title]=$TITLE" \

Check failure

Code scanning / CodeQL

Checkout of untrusted code in a privileged context Critical

Potential execution of untrusted code on a privileged workflow (
workflow_run
Loading
)
Copy link
Copy Markdown
Member Author

@ozelalisen ozelalisen Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is an accepted risk, the checkout of PR code in the privileged workflow_run context is required because integration tests need OIDC auth and AWS credentials that are only available in the base repo
context.

Mitigations in place:

  • Code only executes after validate_approver confirms the reviewer is an active CDK team member (via gh api orgs/aws/teams/aws-cdk-team/memberships/)

@ozelalisen
fix(ci): use env vars to prevent code injection in run blocks
6b67f1f 
Address GitHub Advanced Security findings: replace direct ${{ }}
interpolation of artifact-sourced values in shell run blocks with
environment variables to prevent potential code injection.
@aws-cdk-automation aws-cdk-automation added the pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. label Mar 23, 2026
@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Mar 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

contribution/core This is a PR that came from AWS. p2 pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. pr/needs-maintainer-review This PR needs a review from a Core Team Member

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ozelalisen @github-advanced-security @aws-cdk-automation