Skip to content

[oblt-aw][security] Fix SEC-031 checkout credential persistenceΒ #837

Open
Open
[oblt-aw][security] Fix SEC-031 checkout credential persistence#837
Labels
agentic-workflows
@github-actions

Description

@github-actions
github-actions
bot
opened on May 9, 2026

Closes #831

This change remediates SEC-031 by disabling persisted Git credentials in actions/checkout@v6 steps where credential reuse is not required.

Plan checklist

  • Read SEC-031 context and related prior issues
  • Identify affected checkout steps
  • Apply least-privilege hardening (persist-credentials: false)
  • Preserve env-indirection (no secret interpolation in run: strings)
  • Run repository validation commands and security scan check for SEC-031

Implemented changes

Added persist-credentials: false to checkout steps in:

  • .github/workflows/ci.yml
  • .github/workflows/distribute-client-workflow.yml
  • .github/workflows/get-enabled-workflows.yml
  • .github/workflows/gh-aw-automerge.yml
  • .github/workflows/gh-aw-security-detector.yml
  • .github/workflows/load-allowed-authors.yml
  • .github/workflows/sync-control-plane-dashboard.yml

Validation evidence

npm test --silent
6 tests passed, 0 failed

/tmp/gh-aw/agent/venv/bin/python -m pytest tests/ -q
89 passed

bash scripts/security-scan.sh . | awk -F'|' '$3=="SEC-031"{print}'
(no output)

Security controls confirmation

  • Least-privilege: checkout credentials are no longer persisted into local git config for the hardened steps.
  • Env-indirection: token/secret handling remains via with.token or env variables; no direct secret interpolation was introduced in run: command strings.

Follow-up

Request review from elastic/observablt-ci after required checks are green, then move from Draft to Ready for review.

Note

πŸ”’ Integrity filter blocked 75 items

The following items were blocked because they don't meet the GitHub integrity level.

  • #831 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #831 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #821 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #813 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #802 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #791 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #779 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • [oblt-aw][security] SEC-031 β€” findings (2026-05-09)Β #831 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • Autodoc Secrets instructionsΒ #736 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • Start using the issue-fixer agentic workflowΒ #707 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • Autodoc ImprovementΒ #705 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • Permissions failed againΒ #683 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • Permissions BugΒ #681 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • Wrong permissionsΒ #679 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • Autodoc labelsΒ #661 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • [oblt-aw][security] SEC-032 β€” findings (2026-05-09)Β #832 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • ... and 59 more items

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

What is this? | From workflow: Observability Agentic Workflow Entrypoint

Give us feedback! React with πŸš€ if perfect, πŸ‘ if helpful, πŸ‘Ž if not.

Note

This was originally intended as a pull request, but the git push operation failed.

Workflow Run: View run details and download bundle artifact

The bundle file is available in the agent artifact in the workflow run linked above.

To create a pull request with the changes:

# Download the artifact from the workflow run
gh run download 25594992092 -n agent -D /tmp/agent-25594992092

# Fetch the bundle into a local branch
git fetch /tmp/agent-25594992092/aw-elastic-oblt-aw-fix-sec-031-checkout-persist-credentials-831.bundle refs/heads/fix/sec-031-checkout-persist-credentials-831:refs/heads/fix/sec-031-checkout-persist-credentials-831-960314779a028964
git checkout fix/sec-031-checkout-persist-credentials-831-960314779a028964

# Push the branch to origin
git push origin fix/sec-031-checkout-persist-credentials-831-960314779a028964

# Create the pull request
gh pr create --title '[oblt-aw][security] Fix SEC-031 checkout credential persistence' --base main --head fix/sec-031-checkout-persist-credentials-831-960314779a028964 --repo elastic/oblt-aw

Metadata

Metadata

Assignees

No one assigned

    Labels

    agentic-workflows

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions