DO NOT MERGE --- TEST #37
Conversation
github-actions
bot
added
maintainers modified
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| - name: ATTACKER | ||
| email: ATTACKER | ||
| github: attacker | ||
| groups: ["*"] | ||
| key: | |
There was a problem hiding this comment.
The entry that previously described the real maintainer connor now reports the name, email, and GitHub handle as ATTACKER while still publishing Connor’s PGP key and granting membership in every group. Any tooling or humans relying on maintainers.yml for ownership, security review routing, or contact information will attribute privileged access to a fictitious account and sever the link to the actual maintainer. This misrepresentation can prevent escalation paths and facilitate social‑engineering mistakes; please revert to the authentic maintainer metadata.
Useful? React with 👍 / 👎.
| maintainers modified: | ||
| - changed-files: | ||
| - any-glob-to-any-file: | ||
| - 'maintainers.yml' | ||
| - 'blah.yml' | ||
|
|
||
| dangerous: | ||
| - changed-files: | ||
| - any-glob-to-any-file: | ||
| - '.github/**' | ||
| - '.git-crypt/**' | ||
| - 'ci/**' | ||
| - 'maintainers.yml' | ||
| - '.gitattributes' |
There was a problem hiding this comment.
The maintainers modified label now watches blah.yml, a file that does not exist, and the dangerous label no longer includes ci/** or maintainers.yml. With these patterns removed, PRs that touch the CI scripts or the maintainers file will not be flagged for extra scrutiny by the automation that reviewers rely on. That weakens the protection around sensitive code paths and makes it easier to merge risky changes unnoticed.
Useful? React with 👍 / 👎.
|
Interesting... So it uses master's labeler somehow? |
Yeah, This allows the PR to actually do privileged actions (like push to main, or in this case, label PRs). You cannot do privileged actions in a But it also means that the action runs in the context of the main branch on the latest commit. Technically this also isn't exactly correct, but it looks like it will be in December (https://github.blog/changelog/2025-11-07-actions-pull_request_target-and-environment-branch-protections-changes/). Right now it acts in the context of the base branch you're trying to merge into. When you use this event type, you need to be careful to not run untrusted code. Inevitably we will probably be using this event type to run private tests (to use the repository private GPG key to unlock them), and will need to be careful (e.g. use main's |
|
@zardus are we ready to close this PR, or did you still have some things you wanted to test with it? |
No description provided.