security: add job-level if-guard to example stubs (gate comment trigger by actor)
Build & push image / build-and-push (push) Successful in 5s
Build & push image / build-and-push (push) Successful in 5s
Per a Gadfly self-review finding (kimi-k2.7-code): an issue_comment can start a secret-bearing run before the in-container allowed-users check. Add a workflow if: that only lets trusted actors trigger via comment (PR/dispatch already trusted); keep GADFLY_ALLOWED_USERS as the belt-and-suspenders layer. README documents it + the default-branch caveat for comment triggers. (Docs/examples only — paths-ignored, no image rebuild.) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> EOF
This commit is contained in:
@@ -33,6 +33,13 @@ concurrency:
|
||||
|
||||
jobs:
|
||||
review:
|
||||
# Security: only trusted users may trigger a secret-bearing run via a PR
|
||||
# comment (pull_request + workflow_dispatch are already trusted). Replace the
|
||||
# username(s) below with your maintainers — keep them in sync with
|
||||
# GADFLY_ALLOWED_USERS (the in-container belt-and-suspenders check).
|
||||
if: >-
|
||||
github.event_name != 'issue_comment'
|
||||
|| github.actor == 'your-username'
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 30
|
||||
steps:
|
||||
|
||||
@@ -32,6 +32,13 @@ concurrency:
|
||||
|
||||
jobs:
|
||||
review:
|
||||
# Security: only trusted users may trigger a secret-bearing run via a PR
|
||||
# comment (pull_request + workflow_dispatch are already trusted). Replace the
|
||||
# username(s) below with your maintainers — keep them in sync with
|
||||
# GADFLY_ALLOWED_USERS (the in-container belt-and-suspenders check).
|
||||
if: >-
|
||||
github.event_name != 'issue_comment'
|
||||
|| github.actor == 'your-username'
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 30
|
||||
steps:
|
||||
|
||||
@@ -28,6 +28,13 @@ concurrency:
|
||||
|
||||
jobs:
|
||||
review:
|
||||
# Security: only trusted users may trigger a secret-bearing run via a PR
|
||||
# comment (pull_request + workflow_dispatch are already trusted). Replace the
|
||||
# username(s) below with your maintainers — keep them in sync with
|
||||
# GADFLY_ALLOWED_USERS (the in-container belt-and-suspenders check).
|
||||
if: >-
|
||||
github.event_name != 'issue_comment'
|
||||
|| github.actor == 'your-username'
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 30
|
||||
steps:
|
||||
|
||||
@@ -30,6 +30,13 @@ concurrency:
|
||||
|
||||
jobs:
|
||||
review:
|
||||
# Security: only trusted users may trigger a secret-bearing run via a PR
|
||||
# comment (pull_request + workflow_dispatch are already trusted). Replace the
|
||||
# username(s) below with your maintainers — keep them in sync with
|
||||
# GADFLY_ALLOWED_USERS (the in-container belt-and-suspenders check).
|
||||
if: >-
|
||||
github.event_name != 'issue_comment'
|
||||
|| github.actor == 'your-username'
|
||||
runs-on: ubuntu-latest
|
||||
timeout-minutes: 30
|
||||
steps:
|
||||
|
||||
Reference in New Issue
Block a user