From d9feca099092f30128a38aba444ba68d50265c94 Mon Sep 17 00:00:00 2001
From: Pranay Prakash <pranay.gp@gmail.com>
Date: Wed, 22 Apr 2026 12:41:15 -0700
Subject: [PATCH 1/2] drop setup-command input from reusable community-world
 workflows

The community-world matrix is produced by running
scripts/create-community-worlds-matrix.mjs in the fork PR's checkout,
so any field on it is attacker-controlled. Forwarding
matrix.world.setup-command into the reusable workflow and eval-ing it
let a malicious fork PR execute arbitrary shell on the runner.

Replace the pass-through with a hardcoded per-world-id case in the
reusable workflows (only turso currently needs a setup step) and drop
the setup field from the matrix generator.
---
 .changeset/drop-setup-command-input.md          |  2 ++
 .github/workflows/benchmark-community-world.yml | 15 +++++++--------
 .github/workflows/benchmarks.yml                |  1 -
 .github/workflows/e2e-community-world.yml       | 15 +++++++--------
 .github/workflows/tests.yml                     |  1 -
 scripts/create-community-worlds-matrix.mjs      |  1 -
 6 files changed, 16 insertions(+), 19 deletions(-)
 create mode 100644 .changeset/drop-setup-command-input.md

diff --git a/.changeset/drop-setup-command-input.md b/.changeset/drop-setup-command-input.md
new file mode 100644
index 0000000000..a845151cc8
--- /dev/null
+++ b/.changeset/drop-setup-command-input.md
@@ -0,0 +1,2 @@
+---
+---
diff --git a/.github/workflows/benchmark-community-world.yml b/.github/workflows/benchmark-community-world.yml
index 59ea72b424..9050cb5ec5 100644
--- a/.github/workflows/benchmark-community-world.yml
+++ b/.github/workflows/benchmark-community-world.yml
@@ -34,11 +34,6 @@ on:
         required: false
         type: string
         default: 'none'
-      setup-command:
-        description: 'Setup command to run after installing the world package'
-        required: false
-        type: string
-        default: ''
       full-suite:
         description: 'Run full benchmark suite including long-running tests'
         required: false
@@ -116,14 +111,18 @@ jobs:
           WORLD_PACKAGE: ${{ inputs.world-package }}
         run: pnpm --filter "$APP_NAME" add "$WORLD_PACKAGE"
 
+      # Per-world setup. Hardcoded (not taken from the matrix) so a malicious
+      # fork PR cannot smuggle arbitrary shell through matrix.world.setup-command.
       - name: Run setup command
-        if: ${{ inputs.setup-command != '' }}
         env:
           APP_NAME: ${{ inputs.app-name }}
-          SETUP_COMMAND: ${{ inputs.setup-command }}
+          WORLD_ID: ${{ inputs.world-id }}
         run: |
           cd "workbench/$APP_NAME"
-          eval "$SETUP_COMMAND"
+          case "$WORLD_ID" in
+            turso) pnpm exec workflow-turso-setup ;;
+            *) echo "No setup required for $WORLD_ID" ;;
+          esac
 
       - name: Resolve symlinks
         env:
diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml
index 0514692c72..74098f9e43 100644
--- a/.github/workflows/benchmarks.yml
+++ b/.github/workflows/benchmarks.yml
@@ -461,7 +461,6 @@ jobs:
       world-package: ${{ matrix.world.package }}
       service-type: ${{ matrix.world.service-type }}
       env-vars: ${{ matrix.world.env-vars }}
-      setup-command: ${{ matrix.world.setup-command }}
       # Run full suite only when manually triggered with full_suite=true
       full-suite: ${{ (github.event_name == 'workflow_dispatch' && inputs.full_suite) || contains(github.event.pull_request.labels.*.name, 'stress-test') }}
     secrets: inherit
diff --git a/.github/workflows/e2e-community-world.yml b/.github/workflows/e2e-community-world.yml
index 8a70b934a0..fbcf514e70 100644
--- a/.github/workflows/e2e-community-world.yml
+++ b/.github/workflows/e2e-community-world.yml
@@ -34,11 +34,6 @@ on:
         required: false
         type: string
         default: 'none'
-      setup-command:
-        description: 'Setup command to run after installing the world package'
-        required: false
-        type: string
-        default: ''
 
 jobs:
   e2e:
@@ -112,14 +107,18 @@ jobs:
           WORLD_PACKAGE: ${{ inputs.world-package }}
         run: pnpm --filter "$APP_NAME" add "$WORLD_PACKAGE"
 
+      # Per-world setup. Hardcoded (not taken from the matrix) so a malicious
+      # fork PR cannot smuggle arbitrary shell through matrix.world.setup-command.
       - name: Run setup command
-        if: ${{ inputs.setup-command != '' }}
         env:
           APP_NAME: ${{ inputs.app-name }}
-          SETUP_COMMAND: ${{ inputs.setup-command }}
+          WORLD_ID: ${{ inputs.world-id }}
         run: |
           cd "workbench/$APP_NAME"
-          eval "$SETUP_COMMAND"
+          case "$WORLD_ID" in
+            turso) pnpm exec workflow-turso-setup ;;
+            *) echo "No setup required for $WORLD_ID" ;;
+          esac
 
       - name: Resolve symlinks
         env:
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 041fd1762a..c9f969070e 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -731,7 +731,6 @@ jobs:
       world-package: ${{ matrix.world.package }}
       service-type: ${{ matrix.world.service-type }}
       env-vars: ${{ matrix.world.env-vars }}
-      setup-command: ${{ matrix.world.setup-command }}
     secrets: inherit
 
   # Final job: Aggregate all E2E results and update PR comment
diff --git a/scripts/create-community-worlds-matrix.mjs b/scripts/create-community-worlds-matrix.mjs
index 75b3aec8b1..de156bf5d6 100644
--- a/scripts/create-community-worlds-matrix.mjs
+++ b/scripts/create-community-worlds-matrix.mjs
@@ -63,7 +63,6 @@ const matrix = {
       package: world.package,
       'service-type': serviceType,
       'env-vars': JSON.stringify(world.env || {}),
-      'setup-command': world.setup || '',
     };
   }),
 };

From 9cf6b2b70db4c7534289ac844e5c95c0b481d6c6 Mon Sep 17 00:00:00 2001
From: Pranay Prakash <pranay.gp@gmail.com>
Date: Wed, 22 Apr 2026 13:16:14 -0700
Subject: [PATCH 2/2] rename step to "Per-world setup"

Addresses Copilot review feedback: the step no longer executes an
arbitrary command, so the old name was misleading.
---
 .github/workflows/benchmark-community-world.yml | 2 +-
 .github/workflows/e2e-community-world.yml       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/benchmark-community-world.yml b/.github/workflows/benchmark-community-world.yml
index 9050cb5ec5..a15b29a27e 100644
--- a/.github/workflows/benchmark-community-world.yml
+++ b/.github/workflows/benchmark-community-world.yml
@@ -113,7 +113,7 @@ jobs:
 
       # Per-world setup. Hardcoded (not taken from the matrix) so a malicious
       # fork PR cannot smuggle arbitrary shell through matrix.world.setup-command.
-      - name: Run setup command
+      - name: Per-world setup
         env:
           APP_NAME: ${{ inputs.app-name }}
           WORLD_ID: ${{ inputs.world-id }}
diff --git a/.github/workflows/e2e-community-world.yml b/.github/workflows/e2e-community-world.yml
index fbcf514e70..50558593b7 100644
--- a/.github/workflows/e2e-community-world.yml
+++ b/.github/workflows/e2e-community-world.yml
@@ -109,7 +109,7 @@ jobs:
 
       # Per-world setup. Hardcoded (not taken from the matrix) so a malicious
       # fork PR cannot smuggle arbitrary shell through matrix.world.setup-command.
-      - name: Run setup command
+      - name: Per-world setup
         env:
           APP_NAME: ${{ inputs.app-name }}
           WORLD_ID: ${{ inputs.world-id }}