ci: harden trigger-scylla-ci workflow against credential leaks and untrusted PRs

refs: https://github.com/scylladb/scylladb/security/advisories/GHSA-wrqg-xx2q-r3fv - Remove -v and -i flags from curl to prevent credentials from being logged in workflow output - Move PR_NUMBER and PR_REPO_NAME into the env block with proper quoting to prevent shell injection via crafted PR metadata - Add org membership verification step for pull_request_target events so that only PRs from scylladb org members can trigger Jenkins CI Fixes: https://scylladb.atlassian.net/browse/SCYLLADB-796 Closes scylladb/scylladb#28785 (cherry picked from commit 98494e08eb) Closes scylladb/scylladb#28809
2026-04-20 16:40:35 +00:00 · 2026-02-24 14:55:41 +02:00
parent 4f5d10ccd0
commit 080e04f686
1 changed files with 23 additions and 4 deletions
--- a/.github/workflows/trigger-scylla-ci.yaml
+++ b/.github/workflows/trigger-scylla-ci.yaml
@@ -12,6 +12,25 @@ jobs:
    if: (github.event_name == 'issue_comment' && github.event.comment.user.login != 'scylladbbot') || github.event.label.name == 'conflicts'
    runs-on: ubuntu-latest
    steps:
+      - name: Verify Org Membership
+        id: verify_author
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash
+        run: |
+          if [[ "${{ github.event_name }}" == "pull_request_target" ]]; then
+            AUTHOR="${{ github.event.pull_request.user.login }}"
+          else
+            AUTHOR="${{ github.event.comment.user.login }}"
+          fi
+          ORG="scylladb"
+          if gh api "/orgs/${ORG}/members/${AUTHOR}" --silent 2>/dev/null; then
+            echo "member=true" >> $GITHUB_OUTPUT
+          else
+            echo "::warning::${AUTHOR} is not a member of ${ORG}; skipping CI trigger."
+            echo "member=false" >> $GITHUB_OUTPUT
+          fi
+
      - name: Validate Comment Trigger
        if: github.event_name == 'issue_comment'
        id: verify_comment
@@ -30,13 +49,13 @@ jobs:
          fi

      - name: Trigger Scylla-CI-Route Jenkins Job
-        if: github.event_name == 'pull_request_target' || steps.verify_comment.outputs.trigger == 'true'
+        if: steps.verify_author.outputs.member == 'true' && (github.event_name == 'pull_request_target' || steps.verify_comment.outputs.trigger == 'true')
        env:
          JENKINS_USER: ${{ secrets.JENKINS_USERNAME }}
          JENKINS_API_TOKEN: ${{ secrets.JENKINS_TOKEN }}
          JENKINS_URL: "https://jenkins.scylladb.com"
+          PR_NUMBER: "${{ github.event.issue.number || github.event.pull_request.number }}"
+          PR_REPO_NAME: "${{ github.event.repository.full_name }}"
        run: |
-          PR_NUMBER=${{ github.event.issue.number || github.event.pull_request.number }}
-          PR_REPO_NAME=${{ github.event.repository.full_name }}
          curl -X POST "$JENKINS_URL/job/releng/job/Scylla-CI-Route/buildWithParameters?PR_NUMBER=$PR_NUMBER&PR_REPO_NAME=$PR_REPO_NAME" \
-          --user "$JENKINS_USER:$JENKINS_API_TOKEN" --fail -i -v
+            --user "$JENKINS_USER:$JENKINS_API_TOKEN" --fail