Skip to content

Wave 2: remaining audit clusters and evidence hardening#26

Merged
tomtastisch merged 2 commits intomainfrom
tomtastisch-patch-2
Feb 13, 2026
Merged

Wave 2: remaining audit clusters and evidence hardening#26
tomtastisch merged 2 commits intomainfrom
tomtastisch-patch-2

Conversation

@tomtastisch
Copy link
Owner

@tomtastisch tomtastisch commented Feb 13, 2026

Follow-up wave after PR #25 merge.\n\nScope:\n- close remaining cluster gaps from the agreed plan\n- keep SECURITY.md frozen\n- maintain all-review-comments-resolved rule\n\nInitial change:\n- harden workflow_run convergence checkout to trusted default branch

Copilot AI review requested due to automatic review settings February 13, 2026 17:22
@github-actions github-actions bot added version:none No version bump required (meta-only change) ci CI/workflow change impl:config area:pipeline labels Feb 13, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 13, 2026
edited
Loading

Qodana for .NET

It seems all right 👌

No new problems were found according to the checks applied

💡 Qodana analysis was run in the pull request mode: only the changed files were checked
☁️ View the detailed Qodana report

Detected 6 dependencies

Third-party software list

This page lists the third-party software dependencies used in FileClassifier

Dependency Version Licenses
Microsoft.IO.RecyclableMemoryStream 3.0.1 MIT
Mime 3.8.0 MIT
MimeTypesMap 1.0.9 MIT
SharpCompress 0.39.0 MIT
System.IO.Hashing 10.0.2 MIT
ZstdSharp.Port 0.8.4 MIT
Contact Qodana team

Contact us at qodana-support@jetbrains.com

Copilot AI reviewed Feb 13, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR implements security hardening for the workflow_run triggered NuGet convergence verification workflow. It addresses a potential security vulnerability where malicious scripts from an untrusted source could be executed in a privileged workflow context by modifying verifier scripts and triggering a workflow_run event.

Changes:

  • Modified .github/workflows/nuget-online-convergence.yml to checkout the trusted default branch instead of the workflow_run head_sha
  • Added persist-credentials: false to the checkout step for additional security hardening

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@tomtastisch tomtastisch merged commit a716934 into main Feb 13, 2026
24 checks passed
@tomtastisch tomtastisch deleted the tomtastisch-patch-2 branch February 13, 2026 17:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

area:pipeline ci CI/workflow change impl:config version:none No version bump required (meta-only change)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tomtastisch