ci: Try to auto-fix flaky test issues#20793
Conversation
![sentry-warden[bot]](https://avatars.githubusercontent.com/in/2755838?s=60&v=4){kind=small}
|
adjusted this a bit and introduced prompt injection checker from triage-issue here as well. |
| id: triage | ||
| uses: anthropics/claude-code-action@v1 | ||
| with: | ||
| anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} |
There was a problem hiding this comment.
Mutable third-party action ref runs with secrets and write token
The workflow pins anthropics/claude-code-action@v1 (a moving tag) in a job that exposes ANTHROPIC_API_KEY, a pull-requests: write GITHUB_TOKEN, and id-token: write. A compromise or retag of the upstream v1 tag would let attacker-controlled action code exfiltrate the Anthropic API key, open or modify pull requests under the repo's identity, and mint OIDC tokens. Pin third-party actions to a full 40-character commit SHA to remove the upstream tag-rewrite supply-chain path.
Verification
Read the workflow hunk; confirmed permissions block grants pull-requests: write and id-token: write and the step passes ANTHROPIC_API_KEY and GITHUB_TOKEN into a third-party action referenced by floating tag @v1. Checked references/github-workflows.md mutable-action table: third-party mutable ref with secrets/OIDC/non-trivial write token => medium.
Identified by Warden security-review · SZ3-4PD
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 72358be. Configure here.
| github_token: ${{ secrets.GITHUB_TOKEN }} | ||
| allowed_non_write_users: '*' | ||
| prompt: | | ||
| Fix the issue in getsentry/sentry-javascript with number #{{ steps.parse-issue.outputs.issue_number }}. |
There was a problem hiding this comment.
Missing $ in GitHub Actions expression interpolation
High Severity
The prompt uses {{ steps.parse-issue.outputs.issue_number }} instead of ${{ steps.parse-issue.outputs.issue_number }}. Without the $ prefix, GitHub Actions won't interpolate the expression, and Claude will receive the literal string {{ steps.parse-issue.outputs.issue_number }} instead of the actual issue number. This means Claude will never know which issue to fix. Line 58 of the same file correctly uses the ${{ }} syntax for the same output.
Reviewed by Cursor Bugbot for commit 72358be. Configure here.
| --- | ||
| title: '[Flaky CI]: {{ env.JOB_NAME }} - {{ env.TEST_NAME }}' | ||
| labels: Tests, Bug | ||
| labels: Tests, Bug, "Flaky Test" |
There was a problem hiding this comment.
Template label change is a no-op for issue creation
Medium Severity
Adding "Flaky Test" to the template's frontmatter labels has no effect because report-ci-failures.mjs hard-codes labels as ['Tests', 'Bug'] when creating issues (ignoring the template's labels field). This means auto-created flaky test issues will never receive the Flaky Test label, and the auto-fix workflow's condition contains(github.event.issue.labels.*.name, 'Flaky Test') will never match for those issues when the issues trigger is eventually enabled.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 72358be. Configure here.
size-limit report 📦
|
1 participant
This adds a workflow that tries to auto-fix a given issue. It is auto-run for flaky test issues.