Skip to content

ci: harden Python test coverage workflow#5982

Open
giles17 wants to merge 1 commit into
microsoft:mainfrom
giles17:fix/cicd-workflow-security-hardening
Open

ci: harden Python test coverage workflow#5982
giles17 wants to merge 1 commit into
microsoft:mainfrom
giles17:fix/cicd-workflow-security-hardening

Conversation

@giles17
Copy link
Copy Markdown
Contributor

@giles17 giles17 commented May 20, 2026
edited
Loading

Motivation and Context

Improve input handling and token management in the Python test coverage report workflow.

Description

  • Improve input validation in coverage report workflow
  • Switch to short-lived token for artifact download and PR comment posting
  • Add required permissions for cross-workflow artifact access

Contribution Checklist

  • The code builds clean without any errors or warnings
  • The PR follows the Contribution Guidelines
  • All unit tests pass, and I have added new tests where possible
  • Is this a breaking change? If yes, add [BREAKING] prefix to the title of the PR.

Copilot AI review requested due to automatic review settings May 20, 2026 21:22
Copilot AI reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the Python coverage report workflow_run pipeline against artifact-content injection by validating the PR number before exporting it to GITHUB_ENV, switching from a long-lived PAT to the short-lived github.token, and adding the permissions needed to download artifacts with that token.

Changes:

  • Added actions: read permission to enable artifact download using github.token.
  • Replaced secrets.GH_ACTIONS_PR_WRITE with github.token for artifact download and PR comment posting.
  • Replaced digit-stripping sanitization with strict digits-only validation for pr_number.

Comment thread .github/workflows/python-test-coverage-report.yml
@giles17 giles17 changed the title Fix CI/CD security vulnerability in coverage report workflow ci: harden Python test coverage workflow May 21, 2026
@giles17
ci: harden Python test coverage workflow
2cf61d0 
Improve input handling and token management in the Python test coverage
workflows.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@giles17 giles17 force-pushed the fix/cicd-workflow-security-hardening branch from 035c6a4 to 2cf61d0 Compare May 21, 2026 22:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@giles17