Iand/recipe scanner updates #4584
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
iandouglas
requested review from
EbonyLouis and
Copilot
and removed request for
EbonyLouis
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR updates the GitHub Actions workflow configuration for recipe validation and security scanning, changing from pull_request to pull_request_target triggers and adding additional permissions and validations.
Key changes:
- Switch workflow triggers from
pull_requesttopull_request_targetfor both validation and security scanning workflows - Add
issues: writepermission to both workflows - Enhance git diff filtering to only check added/modified files
- Add secrets validation in the security scanner workflow
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/validate-recipe-pr.yml | Updates trigger to pull_request_target, adds issues permission, and improves git diff filtering |
| .github/workflows/recipe-security-scanner.yml | Updates trigger to pull_request_target, adds issues permission, and adds secrets validation |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
|
|
||
| on: | ||
| pull_request: | ||
| pull_request_target: |
There was a problem hiding this comment.
Using pull_request_target instead of pull_request can be a security risk as it runs with write permissions in the context of the target repository. This allows potentially malicious code from external contributors to access secrets and modify the repository. Consider using pull_request with explicit checkout of the PR branch if write permissions are needed, or ensure proper input validation and sandboxing.
Suggested change
| pull_request_target: | |
| pull_request: |
|
|
||
| on: | ||
| pull_request: | ||
| pull_request_target: |
There was a problem hiding this comment.
Using pull_request_target instead of pull_request poses a security risk, especially in a security scanning workflow that has access to secrets (OPENAI_API_KEY, TRAINING_DATA_*). This trigger runs with repository write permissions and access to secrets even for external contributors, potentially allowing malicious actors to exfiltrate secrets or modify the repository.
Suggested change
| pull_request_target: | |
| pull_request: |
blackgirlbytes
approved these changes
Sep 9, 2025
katzdave
added a commit
that referenced
this pull request
Sep 10, 2025
…data * 'main' of github.com:block/goose: refactor: add new recipe dependency updater (#4596) chore: fix nightly builds to have tags (#4595) feat: Import file contents from recipe 'file' input type parameter (#4558) also adding this change to the api key send for recipes (#4587) Fix local (working directory) recipes storage (#4588) fix: don't redact tool calls (#4589) Prompt injection detection (simplified - only pattern matching) (#4237) feat: add streaming support to Tetrate Agent Router Service provider (#4477) docs: goosehints updates (#4581) Iand/recipe scanner updates (#4584) patching recipe scanning workflows for permissions changes (#4579) fix: onboarding endpoints send token secret (#4575) Fix : Google AI schema validation by adding missing array items fields (#4569) Add unified diff support to text editor (#4522)
zanesq
added a commit
that referenced
this pull request
Sep 10, 2025
…links-overflow * 'main' of github.com:block/goose: refactor: add new recipe dependency updater (#4596) chore: fix nightly builds to have tags (#4595) feat: Import file contents from recipe 'file' input type parameter (#4558) also adding this change to the api key send for recipes (#4587) Fix local (working directory) recipes storage (#4588) fix: don't redact tool calls (#4589) Prompt injection detection (simplified - only pattern matching) (#4237) feat: add streaming support to Tetrate Agent Router Service provider (#4477) docs: goosehints updates (#4581) Iand/recipe scanner updates (#4584) # Conflicts: # ui/desktop/src/components/GooseMessage.tsx
michaelneale
added a commit
that referenced
this pull request
Sep 10, 2025
* main: (29 commits) docs: update built-in extensions list and fix link (#4601) Add Message Metadata for Visibility Control (#4538) Remove deprecated Claude 3.5 models (#4590) Remove unused loadRecipe function (#4599) Send the secret with decodeRecipe (#4597) fix markdown links overflowing content and hide agent link previews (#4585) refactor: add new recipe dependency updater (#4596) chore: fix nightly builds to have tags (#4595) feat: Import file contents from recipe 'file' input type parameter (#4558) also adding this change to the api key send for recipes (#4587) Fix local (working directory) recipes storage (#4588) fix: don't redact tool calls (#4589) Prompt injection detection (simplified - only pattern matching) (#4237) feat: add streaming support to Tetrate Agent Router Service provider (#4477) docs: goosehints updates (#4581) Iand/recipe scanner updates (#4584) patching recipe scanning workflows for permissions changes (#4579) fix: onboarding endpoints send token secret (#4575) Fix : Google AI schema validation by adding missing array items fields (#4569) Add unified diff support to text editor (#4522) ...
michaelneale
added a commit
that referenced
this pull request
Sep 10, 2025
* main: (30 commits) docs: update built-in extensions list and fix link (#4601) Add Message Metadata for Visibility Control (#4538) Remove deprecated Claude 3.5 models (#4590) Remove unused loadRecipe function (#4599) Send the secret with decodeRecipe (#4597) fix markdown links overflowing content and hide agent link previews (#4585) refactor: add new recipe dependency updater (#4596) chore: fix nightly builds to have tags (#4595) feat: Import file contents from recipe 'file' input type parameter (#4558) also adding this change to the api key send for recipes (#4587) Fix local (working directory) recipes storage (#4588) fix: don't redact tool calls (#4589) Prompt injection detection (simplified - only pattern matching) (#4237) feat: add streaming support to Tetrate Agent Router Service provider (#4477) docs: goosehints updates (#4581) Iand/recipe scanner updates (#4584) patching recipe scanning workflows for permissions changes (#4579) fix: onboarding endpoints send token secret (#4575) Fix : Google AI schema validation by adding missing array items fields (#4569) Add unified diff support to text editor (#4522) ...
thebristolsound
pushed a commit
to thebristolsound/goose
that referenced
this pull request
Sep 11, 2025
Signed-off-by: Matt Donovan <mattddonovan@protonmail.com>
Merged
HikaruEgashira
pushed a commit
to HikaruEgashira/goose
that referenced
this pull request
Oct 3, 2025
Signed-off-by: HikaruEgashira <hikaru-egashira@c-fo.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull Request Description
trying one more update for the PR process for the recipe scanner