Skip to content

Harden respond-to-comment.yml against fork PRs#14

Closed
hongyi-chen wants to merge 1 commit intomainfrom
harden-oz-agent-fork-guard
Closed

Harden respond-to-comment.yml against fork PRs#14
hongyi-chen wants to merge 1 commit intomainfrom
harden-oz-agent-fork-guard

Conversation

@hongyi-chen
Copy link
Copy Markdown
Collaborator

@hongyi-chen hongyi-chen commented May 1, 2026

Summary

Hardens the @oz-agent workflow surface in this repo against the same forked-PR exploit chain that was demonstrated in oz-for-oss: a maintainer commenting @oz-agent on a fork PR was sufficient to execute fork-controlled code on a runner holding WARP_API_KEY and a contents: write GITHUB_TOKEN, then push back upstream.

Changes

.github/workflows/respond-to-comment.yml

  • Add a Check PR is not from a fork step as the first job step. It loads the PR via github.rest.pulls.get, posts a friendly decline comment back to the author when pr.head.repo.full_name doesn't match the upstream repo, and core.setFaileds before any checkout, agent invocation, or git push. This runs ahead of the existing commenter-permission check, so fork PRs are rejected even when a maintainer triggers them.
  • Pin warpdotdev/oz-agent-action from the floating @v1 tag to commit SHA ce1621abf6a8ed8afdd4e4cc994545ede8fe1c6f # v1.0.12.

.github/workflows/review-pr.yml

  • Pin warpdotdev/oz-agent-action from the floating @v1 tag to commit SHA ce1621abf6a8ed8afdd4e4cc994545ede8fe1c6f # v1.0.12. The existing job-level if: github.event.pull_request.head.repo.full_name == github.repository already gates fork PRs.

Out of scope

  • Vercel preview-deployment settings. Tracked separately; will be coordinated alongside the warp-internal-side mitigations.
  • GitHub repo settings (e.g. require approval for outside-collaborator workflow runs) and WARP_API_KEY rotation. Tracked separately.
  • Contributor guidance. Worth a follow-up note in AGENTS.md once we have repo-wide guidance written down for any new agent workflow.

Validation

  • Re-read both workflow files after edits to confirm the fork-guard step runs before checkout / agent / push, the existing commenter-permission step still runs, and the user-facing decline comment explains why.
  • YAML parses cleanly.

Co-Authored-By: Oz oz-agent@warp.dev

Conversation · Plan

@hongyi-chen @oz-agent
Harden respond-to-comment.yml against fork PRs
14107d6 
Adds a fork-guard step before checkout/agent/push, and pins
warpdotdev/oz-agent-action from the floating @v1 tag to a commit SHA
in both workflows.

Co-Authored-By: Oz <oz-agent@warp.dev>
@cla-bot cla-bot Bot added the cla-signed label May 1, 2026
@vercel
Copy link
Copy Markdown

vercel Bot commented May 1, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs Ready Ready Preview, Comment May 1, 2026 9:22pm

Request Review

@hongyi-chen hongyi-chen closed this May 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

cla-signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hongyi-chen