Skip to content

[oblt-aw][security] Fix SEC-032 actionlint download integrity#734

Draft
github-actions[bot] wants to merge 1 commit intomainfrom
fix/sec-032-actionlint-integrity-730-0e9d38163d544a0b
Draft

[oblt-aw][security] Fix SEC-032 actionlint download integrity#734
github-actions[bot] wants to merge 1 commit intomainfrom
fix/sec-032-actionlint-integrity-730-0e9d38163d544a0b

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented Apr 28, 2026

Closes #730

Summary

This PR remediates SEC-032 in the security detector tool installer by removing remote script execution and requiring checksum verification for the downloaded actionlint artifact.

What changed

  • Updated scripts/install_security_detector_tools.sh to:
    • detect runner architecture (amd64 or arm64),
    • download actionlint_<version>_linux_<arch>.tar.gz from official GitHub Releases,
    • download checksums.txt from the same release,
    • verify integrity via sha256sum -c before extraction,
    • extract only the verified archive and clean up downloaded files.
  • Updated docs/workflows/gh-aw-security-detector.md to document checksum-verified actionlint installation.

Resolution plan checklist

  • Identify SEC-032 download path lacking cryptographic verification
  • Replace unsafe download/execute pattern with verified artifact install flow
  • Keep behavior compatible with existing detector workflow usage
  • Update directly related documentation
  • Run repo tests and script validation

Validation evidence

  • npm test --silent → pass (6/6)
  • . /tmp/gh-aw/agent/venv/bin/activate && pytest tests/ → pass (89/89)
  • bash -n scripts/install_security_detector_tools.sh → pass

Security requirements confirmation

  • Least privilege: No workflow permission scopes were broadened; this change is limited to installer behavior.
  • Env indirection: No secrets/tokens are interpolated into command strings by this change; no secret-handling behavior was expanded.

Note

🔒 Integrity filter blocked 3 items

The following items were blocked because they don't meet the GitHub integrity level.

  • #730 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • [oblt-aw][security] SEC-032 — findings (2026-04-28) #730 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #730 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

What is this? | From workflow: Observability Agentic Workflow Entrypoint

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

@github-actions
[oblt-aw][security] Verify actionlint download integrity
25f5f57 
Remediate SEC-032 by replacing process-substitution curl execution with direct GitHub release download plus checksum verification. Detect runner architecture, fetch checksums.txt, verify archive via sha256sum -c, then extract the validated tarball.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This was referenced Apr 30, 2026
Open
Open
Open
Open
@github-actions github-actions Bot mentioned this pull request May 8, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[oblt-aw][security] SEC-032 — findings (2026-04-28)

0 participants