The pull_request_target workflow checked out and executed Go scripts from
the PR head, allowing attackers to inject arbitrary code via init()
functions with access to a write-scoped GITHUB_TOKEN. This was confirmed
exploited in the wild (ref: StepSecurity blog).
Checkout now targets the base branch so only trusted scripts execute.
PR head SHA is fetched as data-only for diffing via a new PR_HEAD_SHA
env var. Write operations (comments, labels) are isolated in a separate
report job that never checks out code. All job permissions follow least
privilege — quality runs read-only, report holds the write token.
fixed: #6083
Signed-off-by: Avelino <31996+avelino@users.noreply.github.com>
Co-Authored-By: Thierry Abalea <thierry.abalea@shipfox.io>
The "Fetch base branch" step fails with exit code 128 when running
inside the golang:latest container because Git does not recognize the
workspace as a safe directory. This is a Git security feature (CVE-2022-24765)
that blocks operations in directories owned by a different user, which
happens when actions/checkout runs inside a container.
https://claude.ai/code/session_01NBtQtSPnsSvAwqUMBMLGFh
Co-authored-by: Claude <noreply@anthropic.com>
* automate PR review: rewrite quality checks in Go and add diff validation
- Replace check-quality.js with Go implementation that adds:
open source license detection, repo maturity (5+ months),
CI/CD presence check, and README existence verification
- Add new check-pr-diff tool that validates README changes:
single item per PR, link consistency with PR body,
description format, non-promotional language, and
category minimum size (3 items)
- Update pr-quality-check workflow to run both Go tools
with separate quality and diff reporting sections
- Improve CONTRIBUTING.md with new "What is checked automatically"
section documenting all blocking and non-blocking CI checks,
plus what still requires manual maintainer review
- Improve PR template with clearer structure separating
CI-validated requirements from manual review items
https://claude.ai/code/session_01JcdbDdtERhAXFFZmu3pCVY
* add actionable fix instructions to automated PR review comments
Each failed check now includes a "How to fix" section with specific
commands and steps the contributor needs to take, e.g.:
- missing go.mod → shows exact `go mod init` + `go mod tidy` commands
- missing semver release → shows `git tag v1.0.0` command and GitHub UI link
- low Go Report Card grade → shows `gofmt`, `go vet` commands
- missing PR body links → shows the exact text to paste
- description without period → shows the corrected entry line
- link mismatch → shows both URLs and which to update
https://claude.ai/code/session_01JcdbDdtERhAXFFZmu3pCVY
* add auto-merge when all PR quality checks pass
Adds an auto-merge job that enables GitHub's native auto-merge (squash)
after the quality and diff checks succeed. GitHub will only execute the
merge once ALL required branch protection status checks are green
(including the tests workflow).
Requires "Allow auto-merge" to be enabled in repo settings.
https://claude.ai/code/session_01JcdbDdtERhAXFFZmu3pCVY
* add workflow to re-run quality checks on all open PRs
Creates a manual workflow_dispatch workflow that iterates through all
open PRs and closes/reopens each one to re-trigger the quality check
pipeline. Includes a 2s delay between PRs to respect API rate limits.
Usage: Actions tab → "Re-check all open PRs" → Run workflow
https://claude.ai/code/session_01JcdbDdtERhAXFFZmu3pCVY
* skip quality checks for PRs that don't modify README.md
The quality checks (forge link, pkg.go.dev, Go Report Card, etc.) only
apply to package addition/removal PRs. Internal PRs (workflow changes,
docs, scripts) were failing because they naturally don't have those
fields in the PR body.
Now the workflow first detects if README.md is in the changed files:
- If yes: runs full quality + diff checks as before
- If no: posts a "Skipped" notice and passes cleanly
Fixes false failures like PR #6055.
https://claude.ai/code/session_01JcdbDdtERhAXFFZmu3pCVY
---------
Co-authored-by: Claude <noreply@anthropic.com>
- Add `.github/scripts/check-quality.js` to extract PR links and validate minimum standards:
- Checks repo accessibility, go.mod, SemVer release, Go Report Card (A- or better), coverage, and pkg.go.dev.
- Outputs markdown report and sets fail status for critical issues.
- Add `.github/scripts/extract-pr-links.js` to extract and format PR body links for review.
- Add `.github/workflows/pr-quality-check.yaml` to run quality checks on PRs, post results as comments, sync labels, and fail PR if critical checks fail.
- Update `CONTRIBUTING.md` to clarify required PR body links and quality standards.
- Update `.github/workflows/pull-request-first-comment.yaml` to support new automation.
This improves PR review automation and enforces minimum quality standards for new submissions.
Signed-off-by: Avelino <31996+avelino@users.noreply.github.com>
