Skip to content

[Security Fix]: Separate base and PR code in evaluation workflow#51

Merged
yl231 merged 11 commits into
mainfrom
workflow-testing
Dec 2, 2025
Merged

[Security Fix]: Separate base and PR code in evaluation workflow#51
yl231 merged 11 commits into
mainfrom
workflow-testing

Conversation

@yl231

@yl231 yl231 commented Dec 2, 2025

Copy link
Copy Markdown
Contributor

Security Fix

Fixes a security vulnerability where fork PRs could execute malicious code with full upstream permissions.

Changes:

  • Separate checkout for base repository code (trusted) and PR code (untrusted)
  • Evaluation scripts run from base repository only
  • PR prediction files copied to base workspace as data only
  • Tested with fork PR successfully

Security Impact:

  • ✅ Fork PRs can no longer modify evaluation scripts
  • ✅ Only JSON prediction files are read from PRs
  • ✅ All evaluation code comes from trusted base branch

yl231 added 10 commits November 29, 2025 15:52
@yl231
[Enhancement] Improve PR evaluation workflow and add force re-evaluat…
3e6880f 
…ion option

* Updated the PR evaluation workflow to detect changed prediction files more accurately by comparing against the fork's base branch.
* Added a `--force` option to the evaluation script to allow re-evaluation of all entries, even if they have already been evaluated.
* Minor adjustments to the GLM-4-air-router prediction JSON to test the above functionalities.
@yl231
Improved the workflow
fbd1bf0
@yl231
Improved.
54685fb
@yl231
fixed comparing with the pr branch rather than main branch
f52e846
@yl231
re-run
d9022fc
@yl231
re-test
ae50686
@yl231
Update PR evaluation workflow
34a10da
@yl231
Fixes to gemini code review.
255f436
@yl231
Fix security: separate base and PR code checkouts
e54df45
@yl231
Merge main: resolve conflicts, keep security fixes (dual checkout)
5ce9d76
@yl231 yl231 requested a review from jiarong0907 December 2, 2025 03:38
@jiarong0907

jiarong0907 commented Dec 2, 2025

Copy link
Copy Markdown
Contributor

/gemini review

@gemini-code-assist

gemini-code-assist Bot commented Dec 2, 2025

Copy link
Copy Markdown

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

jiarong0907
jiarong0907 requested changes Dec 2, 2025
View reviewed changes
Comment thread .github/workflows/pr-evaluation.yml Outdated
Comment thread .github/workflows/pr-evaluation.yml Outdated
@yl231 yl231 requested a review from jiarong0907 December 2, 2025 04:33
@yl231 yl231 merged commit 92b3b24 into main Dec 2, 2025
10 checks passed
@yl231 yl231 deleted the workflow-testing branch December 2, 2025 06:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jiarong0907 jiarong0907 jiarong0907 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yl231 @jiarong0907