Skip to content

Remove secrets: inherit from changelog-preview workflow#1355

Open
semgrep-code-getsentry[bot] wants to merge 1 commit into
mainfrom
semgrep-autofix/1783325264
Open

Remove secrets: inherit from changelog-preview workflow#1355
semgrep-code-getsentry[bot] wants to merge 1 commit into
mainfrom
semgrep-autofix/1783325264

Conversation

@semgrep-code-getsentry

Copy link
Copy Markdown

Remove secrets: inherit from the changelog-preview workflow to follow the principle of least privilege.

Changes

  • Removed secrets: inherit from .github/workflows/changelog-preview.yml
  • The reusable workflow still receives GITHUB_TOKEN automatically via the caller's permissions: block, which is all it needs to read PR data and post comments/statuses

Why

Using secrets: inherit passes all repository secrets (e.g. deploy keys, publishing credentials) to the called workflow, even though the changelog-preview workflow only needs GITHUB_TOKEN. If the third-party reusable workflow were compromised, an attacker would gain access to every secret in the repository. Since GITHUB_TOKEN is automatically available to reusable workflows based on the caller's permissions, removing secrets: inherit eliminates unnecessary secret exposure without breaking functionality.

Semgrep Finding Details

This workflow uses secrets: inherit to pass all of the calling workflow's secrets to a reusable workflow. This violates the principle of least privilege because the called workflow receives access to every secret in the repository, not just the ones it needs. If the called workflow is compromised or sourced from a third party, an attacker gains access to all repository secrets. Instead, explicitly pass only the secrets that the called workflow requires using the secrets: map, e.g. secrets: { MY_SECRET: ${{ secrets.MY_SECRET }} }.

nelson.osacky@sentry.io requested this Autofix PR for this finding from the detection rule yaml.github-actions.security.secrets-inherit.secrets-inherit.


⚠️ Review carefully before merging. This PR was generated by AI and may cause breaking changes or introduce new vulnerabilities.

Remove `secrets: inherit` from the changelog-preview workflow to follow the principle of least privilege.

## Changes
- Removed `secrets: inherit` from `.github/workflows/changelog-preview.yml`
- The reusable workflow still receives `GITHUB_TOKEN` automatically via the caller's `permissions:` block, which is all it needs to read PR data and post comments/statuses

## Why
Using `secrets: inherit` passes all repository secrets (e.g. deploy keys, publishing credentials) to the called workflow, even though the changelog-preview workflow only needs `GITHUB_TOKEN`. If the third-party reusable workflow were compromised, an attacker would gain access to every secret in the repository. Since `GITHUB_TOKEN` is automatically available to reusable workflows based on the caller's permissions, removing `secrets: inherit` eliminates unnecessary secret exposure without breaking functionality.

## Semgrep Finding Details
This workflow uses `secrets: inherit` to pass all of the calling workflow's secrets to a reusable workflow. This violates the principle of least privilege because the called workflow receives access to every secret in the repository, not just the ones it needs. If the called workflow is compromised or sourced from a third party, an attacker gains access to all repository secrets. Instead, explicitly pass only the secrets that the called workflow requires using the `secrets:` map, e.g. `secrets: { MY_SECRET: ${{ secrets.MY_SECRET }} }`.

nelson.osacky@sentry.io requested this Autofix PR for [this finding](https://semgrep.dev/orgs/sentry/findings/876469208) from the detection rule [yaml.github-actions.security.secrets-inherit.secrets-inherit](https://semgrep.dev/r/yaml.github-actions.security.secrets-inherit.secrets-inherit).
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor
Fails
🚫 Please consider adding a changelog entry for the next release.

Instructions and example for changelog

Please add an entry to CHANGELOG.md to the "Unreleased" section. Make sure the entry includes this PR's number.

Example:

## Unreleased

### Features

- inherit from changelog-preview workflow ([#1355](https://github.com/getsentry/sentry-android-gradle-plugin/pull/1355))

If none of the above apply, you can opt out of this check by adding #skip-changelog to the PR description or adding a skip-changelog label.

Generated by 🚫 dangerJS against c5c2782

@runningcode runningcode marked this pull request as ready for review July 6, 2026 09:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants