pull_request_target misuse and credential exposure in Python workflows
Due to the high number of ongoing AI-enabled attacks on public GitHub repositories, we need to address the following identified issues in this repository related to pull_request_target and credentials.
Threat vectors identified
Privileged workflow execution via pull_request_target (high)
check-python-code.yaml and check-python-package-versions.yaml use pull_request_target with no legitimate need. This trigger runs workflows from the base branch with repository secrets and elevated permissions, including an OIDC token capable of assuming AWS IAM roles.
Any repo contributor with branch access could open a PR from a modified branch to execute arbitrary code in this privileged context - potentially assuming the GithubActions_Schema_CodeArtifact_Publish role to push malicious packages to the CodeArtifact repository.
Unmasked credentials in workflow logs (medium)
reusable-check-python-package-versions.yaml writes the CodeArtifact index_url (which embeds an auth token as aws:<token>@hostname) to $GITHUB_OUTPUT without masking, then interpolates it directly into a run: step.
Similarly, publish-python-packages.yaml writes the CodeArtifact auth token to $GITHUB_OUTPUT unmasked before use. Both values will appear in plaintext in workflow logs.
pull_request_targetmisuse and credential exposure in Python workflowsDue to the high number of ongoing AI-enabled attacks on public GitHub repositories, we need to address the following identified issues in this repository related to
pull_request_targetand credentials.Threat vectors identified
Privileged workflow execution via
pull_request_target(high)check-python-code.yamlandcheck-python-package-versions.yamlusepull_request_targetwith no legitimate need. This trigger runs workflows from the base branch with repository secrets and elevated permissions, including an OIDC token capable of assuming AWS IAM roles.Any repo contributor with branch access could open a PR from a modified branch to execute arbitrary code in this privileged context - potentially assuming the
GithubActions_Schema_CodeArtifact_Publishrole to push malicious packages to the CodeArtifact repository.Unmasked credentials in workflow logs (medium)
reusable-check-python-package-versions.yamlwrites the CodeArtifact index_url (which embeds an auth token asaws:<token>@hostname) to$GITHUB_OUTPUTwithout masking, then interpolates it directly into arun:step.Similarly,
publish-python-packages.yamlwrites the CodeArtifact auth token to$GITHUB_OUTPUTunmasked before use. Both values will appear in plaintext in workflow logs.