Skip to content

ci: pin go-choppy/ossutil-github-action to a SHA in the OSS-deploy workflows#4141

Open
kobihikri wants to merge 1 commit into
higress-group:mainfrom
kobihikri:pin-ossutil-action
Open

ci: pin go-choppy/ossutil-github-action to a SHA in the OSS-deploy workflows#4141
kobihikri wants to merge 1 commit into
higress-group:mainfrom
kobihikri:pin-ossutil-action

Conversation

@kobihikri

Copy link
Copy Markdown

What this does

The OSS-deploy workflows run go-choppy/ossutil-github-action@master — a third-party action pinned to a mutable branch — and pass it the Aliyun OSS credentials directly as inputs (accessKey: ${{ secrets.ACCESS_KEYID }}, accessSecret: ${{ secrets.ACCESS_KEYSECRET }}). This pins it to the current commit SHA across all three workflows.

Why

@master resolves to whatever that branch's HEAD is at run time. The action redirects to yjcyxky/ossutil-github-action, a personal repo whose last commit was 2022-05-26 — so it's dormant and a natural target. If that branch were force-moved or the account compromised (the class of thing that happened with tj-actions/changed-files), the injected code would run in a job holding the OSS access key + secret for oss://higress-ai/ (which serves the public helm charts, tarballs, and install.sh). Because the secrets are passed as direct inputs, they'd be trivially exfiltratable.

Pinning to a full commit SHA (7fe73c7, the current master) keeps behavior identical while removing the moving-target window. Changed in deploy-to-oss.yaml, deploy-standalone-to-oss.yaml, and sync-skills-to-oss.yaml.

Since the action is dormant, you may also want to vendor or replace it long-term — happy to help if useful.

DCO signed-off.


Disclosure: I used an AI tool to help spot this and prepare the change; I verified the action's repo and the pinned SHA myself and take responsibility for it.

…ploy workflows

This third-party action is pinned to the mutable @master branch (it redirects
to yjcyxky/ossutil-github-action, a personal repo last updated in 2022) while
being handed the Aliyun OSS access key + secret as inputs. Pin to the current
master commit so a force-move/compromise of that action can't run with the OSS
credentials. Affects deploy-to-oss, deploy-standalone-to-oss, sync-skills-to-oss.

Assisted by an AI tool; verified against the workflows and the action's repo myself.

Signed-off-by: Kobi Hikri <kobi.hikri@gmail.com>
@CLAassistant

CLAassistant commented Jul 14, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants