Problem
review.yml uploads .reviews/journal.jsonl as a workflow artifact (30-day
retention). Eval bindings are journaled, and on a public repo any logged-in
user can download artifacts — Actions log masking does not apply to artifact
contents. GitHubComment was fixed to read GITHUB_TOKEN inline instead of
binding it, but the protection is convention only: any document or component
that assigns a secret to a binding puts it in a downloadable artifact.
Proposal
- Scrub the journal before upload: redact the values of known secret env vars
(GITHUB_TOKEN, DEEPINFRA_TOKEN, …) from journal.jsonl.
- Deterministic backstop: scan the journal for credential prefixes
(ghs_, ghp_, github_pat_, …) and fail the job on a hit.
- Same treatment for
repo-analysis.yml's journal artifact.
Problem
review.ymluploads.reviews/journal.jsonlas a workflow artifact (30-dayretention). Eval bindings are journaled, and on a public repo any logged-in
user can download artifacts — Actions log masking does not apply to artifact
contents.
GitHubCommentwas fixed to readGITHUB_TOKENinline instead ofbinding it, but the protection is convention only: any document or component
that assigns a secret to a binding puts it in a downloadable artifact.
Proposal
(
GITHUB_TOKEN,DEEPINFRA_TOKEN, …) fromjournal.jsonl.(
ghs_,ghp_,github_pat_, …) and fail the job on a hit.repo-analysis.yml's journal artifact.