hermes - 💡(How to fix) Fix ci: harden lint workflow against head_ref script injection [2 pull requests]

Finding

.github/workflows/lint.yml interpolates ${{ github.head_ref }}, ${{ github.base_ref }}, and ${{ github.ref_name }} directly into bash run: blocks in the lint-diff job. GitHub Actions expression interpolation happens before the runner shell parses the script, so a fork PR with a branch name containing $(), backticks, or "-terminating payloads can break out of the surrounding quotes and execute arbitrary shell.

Offending interpolations (current main)

Threat model

This is CI hardening, not a private-security advisory:

• Fork PR GITHUB_TOKENs are read-only on pull_request triggers.
• The affected job does not read or expose secrets.
• No mutation of repo state happens in the compromised step.

The realistic blast radius is attacker-controlled compute inside the lint-diff job (the PR-comment payload, lint reports artifact, etc.). Still worth fixing on first sight: once compute is attacker-controlled, exfil and confused-deputy chains open up cheaply.

Recommended fix

Move PR-derived expressions into step-level env: mappings and reference them via bash variable expansion ("$HEAD_REF", "$BASE_REF", "$BASE_REF_INPUT"). This is the pattern GitHub recommends in Security hardening for GitHub Actions → "Using an intermediate environment variable".

Add a regression test that parses .github/workflows/lint.yml and asserts the lint-diff job's run: blocks contain no ${{ github.head_ref|base_ref|ref_name|event.(pull_request|issue|comment).* }} interpolations.

Scope

Just lint.yml for now — a repo-wide grep of github.(head_ref|base_ref|ref_name) against .github/workflows/ returns matches only in this file. A cross-workflow invariant test is worth doing separately.

References

• GitHub Actions security hardening guide
• GitHub Actions: Script injection prevention