fix: resolve GitHub Actions security vulnerabilities#16174
Merged
FelixMalfait merged 1 commit intomainfrom Nov 28, 2025
Merged
Conversation
- Fix shell command injection in docs-i18n-pull.yaml by using environment variables - Add explicit permissions to ci-test-docker-compose.yaml workflow - Apply principle of least privilege with contents: read permission Fixes shell injection vulnerability where github.head_ref was directly interpolated in git push command. Now safely assigned to env variable first. Resolves CodeQL security alerts for missing workflow permissions.
Contributor
Greptile OverviewGreptile SummaryThis PR successfully addresses two critical security vulnerabilities identified by GitHub CodeQL scanning in GitHub Actions workflows. Changes:
The implementation is correct and consistent with other workflows in the repository that already follow these patterns. Confidence Score: 5/5
Important Files ChangedFile Analysis
Sequence DiagramsequenceDiagram
participant GH as GitHub Actions
participant Workflow as docs-i18n-pull.yaml
participant Git as Git Repository
participant Env as Environment Variables
Note over Workflow: Pull Request Event Triggered
GH->>Workflow: Trigger workflow with github.head_ref
Note over Workflow,Env: Security Fix: Shell Injection Prevention
Workflow->>Env: Set HEAD_REF=${{ github.head_ref }}
Workflow->>Git: git push origin "HEAD:$HEAD_REF"
Note over Workflow,Git: Environment variable prevents<br/>command injection attacks
Note over GH,Workflow: Permissions Configuration
Note over Workflow: ci-test-docker-compose.yaml
GH->>Workflow: Grant minimal permissions<br/>(contents: read only)
Workflow->>Git: Read repository contents
Note over Workflow,Git: Principle of least privilege<br/>applied to GITHUB_TOKEN
|
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
NotYen
pushed a commit
to NotYen/twenty-ym
that referenced
this pull request
Dec 4, 2025
This PR addresses security vulnerabilities identified by GitHub CodeQL
security scanning.
**File:** `.github/workflows/docs-i18n-pull.yaml`
**Issue:** Direct interpolation of `${{ github.head_ref }}` in shell
command was susceptible to command injection attacks.
**Fix:** Assign GitHub context variable to environment variable first:
```yaml
run: |
git push origin "HEAD:$HEAD_REF"
env:
HEAD_REF: ${{ github.head_ref }}
```
This prevents malicious input from being executed as shell commands.
**File:** `.github/workflows/ci-test-docker-compose.yaml`
**Issue:** Workflow did not explicitly define GITHUB_TOKEN permissions,
running with overly broad defaults.
**Fix:** Added explicit minimal permissions:
```yaml
permissions:
contents: read
```
This applies to all 3 jobs in the workflow:
- `changed-files-check`
- `test`
- `ci-test-docker-compose-status-check`
- ✅ Prevents potential shell injection attacks via pull request branch
names
- ✅ Follows principle of least privilege for GitHub Actions tokens
- ✅ Aligns with GitHub Actions security best practices
- ✅ Resolves all CodeQL security alerts for these workflows
- [GitHub Actions: Security hardening for GitHub
Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions)
- [GitHub Actions: Permissions for the
GITHUB_TOKEN](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)
- Related attacks: 2025 Nx supply chain attack, 2024 ultralytics/actions
attack
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🔒 Security Fixes
This PR addresses security vulnerabilities identified by GitHub CodeQL security scanning.
Changes
1. Fix Shell Command Injection (High Severity)
File:
.github/workflows/docs-i18n-pull.yamlIssue: Direct interpolation of
${{ github.head_ref }}in shell command was susceptible to command injection attacks.Fix: Assign GitHub context variable to environment variable first:
This prevents malicious input from being executed as shell commands.
2. Add Missing Workflow Permissions (Medium Severity)
File:
.github/workflows/ci-test-docker-compose.yamlIssue: Workflow did not explicitly define GITHUB_TOKEN permissions, running with overly broad defaults.
Fix: Added explicit minimal permissions:
This applies to all 3 jobs in the workflow:
changed-files-checktestci-test-docker-compose-status-checkSecurity Impact
References