[Safe Outputs Conformance] SEC-005: Cross-repository targeting handlers lack allowlist validation

[github-actions]

Conformance Check Failure

Check ID: SEC-005
Severity: HIGH
Category: Security

Problem Description

Three handlers were flagged by the SEC-005 cross-repository validation check as supporting target-repo parameters without the required allowlist validation. Cross-repository operations must verify the target repository against an approved allowlist to prevent unauthorized write operations to arbitrary repositories.

Of the three flagged files, at least one (assign_agent_helpers.cjs) performs genuine cross-repository GitHub API operations (PR creation in a different repository via targetRepositoryId) without any allowlist check. The other two require review to determine if the match is a genuine cross-repo operation or an artifact of the check's regex.

Affected Components

• actions/setup/js/assign_agent_helpers.cjs — Uses targetRepositoryId / targetRepoId for cross-repo PR creation via GraphQL (lines ~249, 292–293, 333, 362)
• actions/setup/js/collect_ndjson_output.cjs — Parses targetRepo from a split operation (lines ~231–241); may accept user-supplied repository name
• actions/setup/js/submit_pr_review.cjs — Flagged by regex match; review needed to determine if genuine cross-repo concern

Current Behavior

In assign_agent_helpers.cjs, cross-repo PR creation accepts a pullRequestRepoId parameter that is passed directly to the GitHub GraphQL API as targetRepositoryId without verifying it against any list of allowed repositories.

In collect_ndjson_output.cjs, targetRepo is initialized from context.repo.repo but can be overridden via a split operation (parts[1]), potentially allowing user-influenced cross-repo targeting.

Expected Behavior

Per the Safe Outputs specification, handlers that support cross-repository targeting MUST validate the target repository against an approved allowlist before making any API calls. The allowlist check should occur before any GitHub API interaction.

Remediation Steps

This task can be assigned to a Copilot coding agent with the following steps:

1. Review each flagged file to confirm whether cross-repository targeting is genuinely occurring or is a regex false positive.
2. For assign_agent_helpers.cjs: Add allowlist validation before using pullRequestRepoId as targetRepositoryId. The allowlist should be sourced from the workflow configuration (e.g., allowed-repos config field) and checked before the GraphQL mutation is executed.
3. For collect_ndjson_output.cjs: Determine if parts[1] (the user-influenced targetRepo) is an untrusted input. If so, validate it against an allowlist of permitted repositories before use.
4. For submit_pr_review.cjs: Review the flagged line and confirm if it's a genuine cross-repo operation. If it is, apply the same allowlist pattern; if not, document why it is safe.
5. Add or reference a shared validateTargetRepo(repo, allowedRepos) utility function that can be reused across all cross-repo handlers.

Verification

After remediation, verify the fix by running:

bash scripts/check-safe-outputs-conformance.sh

SEC-005 should pass without errors for all three handlers.

References

• Safe Outputs Specification: docs/src/content/docs/reference/safe-outputs-specification.md
• Conformance Checker: scripts/check-safe-outputs-conformance.sh (lines 152–175)
• Run ID: §22281286232
• Date: 2026-02-22

Generated by Daily Safe Outputs Conformance Checker

• expires on Feb 23, 2026, 5:01 PM UTC