Skip to content

ci: restrict credentialed Custard test job to trusted refs#4382

Open
evilgensec wants to merge 1 commit into
GoogleCloudPlatform:mainfrom
evilgensec:ci-restrict-custard-test-trusted-refs
Open

ci: restrict credentialed Custard test job to trusted refs#4382
evilgensec wants to merge 1 commit into
GoogleCloudPlatform:mainfrom
evilgensec:ci-restrict-custard-test-trusted-refs

Conversation

@evilgensec

Copy link
Copy Markdown

What

Add a trust guard to the test job in .github/workflows/custard-run.yaml so it does not run repository code from forked pull requests while the kokoro-system-test@long-door-651 service account credentials are configured.

Why

custard-run.yaml is triggered by workflow_run (Custard CI, types: [in_progress]) and therefore runs in the base-repository context. The test job requests id-token: write, authenticates with google-github-actions/auth, and then runs make test, which runs npm install (repo root and the affected package) followed by npm test.

Its only condition today is if: needs.affected.outputs.paths != '[]', with no check on where the triggering pull request came from. A pull request from a fork that adds a package.json marks a path as affected (.github/config/nodejs.jsonc sets "package-file": ["package.json"]), so the job runs, checks out the fork head commit (ref: github.event.workflow_run.head_sha), and executes the fork's npm lifecycle and test scripts. google-github-actions/auth defaults to create_credentials_file: true and export_environment_variables: true, so GOOGLE_APPLICATION_CREDENTIALS points at an impersonation credential for the service account before those scripts run. The result is fork-controlled code execution in the privileged context with access to the service account.

The legacy test job in custard-ci.yaml already refuses to run on forks (github.event.pull_request.head.repo.fork == false). This change applies the same trust boundary to the workflow_run job.

Change

Run the credentialed test job only for trusted refs:

  • workflow_run where the head repository equals this repository (same-repo branches)
  • push (post-merge validation)
  • workflow_dispatch (manual runs)

Fork pull requests continue to get lint and region-tag feedback from custard-ci.yaml, which runs in the unprivileged fork context without credentials. Integration tests that need the service account run once a maintainer lands the change on a branch in this repository or after merge.

Alternative

If running integration tests on fork pull requests before merge is a requirement, the supported way to keep it is a GitHub Environment with required reviewers on this job, so every fork run pauses for an explicit per-run approval that is not skipped for returning contributors. That needs repository settings in addition to workflow changes, so it is out of scope for this PR. Happy to follow up if preferred.

Related, not in this PR

The lint job in custard-run.yaml also checks out the head commit and runs npm install in the base context, though with only statuses: write and no service account. custard-ci.yaml already lints forked pull requests in the unprivileged context, so that job could later move out of the privileged workflow. Left out here to keep this change minimal.

Reported through the Google OSS VRP.

The test job in custard-run.yaml runs on the workflow_run event in the
base-repository context with id-token: write and authenticates to Google
Cloud as kokoro-system-test@long-door-651. It checks out the triggering
commit and runs `make test`, which runs `npm install` and `npm test`. With
only `if: needs.affected.outputs.paths != '[]'`, a pull request opened from a
fork reaches this job, so fork-controlled npm lifecycle and test scripts run
with the service account credentials present in the workspace.

Gate the job so it runs only for trusted refs: same-repo branches on
workflow_run, plus push and workflow_dispatch. Fork pull requests no longer
execute their code in this privileged context. This matches the boundary the
legacy test job in custard-ci.yaml already enforces
(github.event.pull_request.head.repo.fork == false).
@evilgensec evilgensec requested review from a team as code owners July 14, 2026 15:53
@gemini-code-assist

Copy link
Copy Markdown
Contributor

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@product-auto-label product-auto-label Bot added samples Issues that are directly related to samples. api: workflows Issues related to the Workflows API. labels Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

api: workflows Issues related to the Workflows API. samples Issues that are directly related to samples.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant