You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This remediates SEC-022 least-privilege findings by removing broad secret inheritance from reusable workflow calls and forwarding only COPILOT_GITHUB_TOKEN where needed.
Resolution Plan Checklist
Identify SEC-022-style secrets: inherit usages in affected workflows
Replace inherited secrets with explicit least-privilege secret forwarding
Add/align workflow_call secret contracts for wrappers that forward secrets
Update related workflow documentation
Run validation and confirm remediation
Changes Implemented
Replaced secrets: inherit with explicit COPILOT_GITHUB_TOKEN forwarding in:
The bundle file is available in the agent artifact in the workflow run linked above.
To create a pull request with the changes:
# Download the artifact from the workflow run
gh run download 25541826962 -n agent -D /tmp/agent-25541826962
# Fetch the bundle into a local branch
git fetch /tmp/agent-25541826962/aw-fix-sec-022-secret-scoping-issue-819.bundle refs/heads/fix/sec-022-secret-scoping-issue-819:refs/heads/fix/sec-022-secret-scoping-issue-819-73895681a8f28bc0
git checkout fix/sec-022-secret-scoping-issue-819-73895681a8f28bc0
# Push the branch to origin
git push origin fix/sec-022-secret-scoping-issue-819-73895681a8f28bc0
# Create the pull request
gh pr create --title '[oblt-aw][security] Fix SEC-022 secret scoping in reusable workflows' --base main --head fix/sec-022-secret-scoping-issue-819-73895681a8f28bc0 --repo elastic/oblt-aw
Closes #819
Summary
This remediates SEC-022 least-privilege findings by removing broad secret inheritance from reusable workflow calls and forwarding only
COPILOT_GITHUB_TOKENwhere needed.Resolution Plan Checklist
secrets: inheritusages in affected workflowsworkflow_callsecret contracts for wrappers that forward secretsChanges Implemented
secrets: inheritwith explicitCOPILOT_GITHUB_TOKENforwarding in:.github/workflows/oblt-aw-ingress.yml(autodoc,issue-fixer,resource-not-accessible-by-integration-fixer,security-fixerjobs).github/workflows/gh-aw-agent-suggestions.yml.github/workflows/gh-aw-resource-not-accessible-by-integration-detector.yml.github/workflows/gh-aw-security-fixer.yml.github/workflows/gh-aw-autodoc.yml(audit,fixjobs).github/workflows/gh-aw-issue-fixer.yml.github/workflows/gh-aw-resource-not-accessible-by-integration-fixer.ymlworkflow_callsecret declarations:.github/workflows/gh-aw-issue-fixer.yml.github/workflows/gh-aw-resource-not-accessible-by-integration-fixer.ymldocs/workflows/gh-aw-issue-fixer.mddocs/workflows/gh-aw-resource-not-accessible-by-integration-fixer.mdValidation Evidence
Security Control Confirmation
COPILOT_GITHUB_TOKEN.run:command strings.Note
π Integrity filter blocked 31 items
The following items were blocked because they don't meet the GitHub integrity level.
issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".To allow these resources, lower
min-integrityin your GitHub frontmatter:What is this? | From workflow: Observability Agentic Workflow Entrypoint
Give us feedback! React with π if perfect, π if helpful, π if not.
Note
This was originally intended as a pull request, but the git push operation failed.
Workflow Run: View run details and download bundle artifact
The bundle file is available in the
agentartifact in the workflow run linked above.To create a pull request with the changes: