[Security Research] Artifact Poisoning PoC — Non-destructive callback in fork-controlled script

[rawnly25]

Security Research: Artifact Poisoning Proof of Concept

This PR demonstrates a non-destructive security proof of concept for the workflow_run trust boundary vulnerability in code-cover-publish.yaml.

What this PR does

Adds a harmless curl callback (sending only hostname + whoami) to build/ghactions/pr-codecov-run-tests.sh to prove that fork-controlled scripts execute in the CI context when triggered by code-cover-gen.yml.

Why this matters

The code-cover-publish.yaml workflow:

• Triggers on workflow_run from any successful pull_request workflow
• Has no authorization check on the PR source (no label, author, or fork validation)
• Downloads the artifact from the untrusted PR
• Authenticates to GCP with a static service account key (secrets.CODECOVER_SERVICE_ACCOUNT_KEY)
• Processes the artifact data with GCP credentials active

Impact

An attacker can:

1. Modify fork scripts → execute arbitrary code in the trigger context
2. Poison the artifact content → influence behavior in the privileged handler
3. The handler has no source validation → runs with GCP credentials for any PR

This PoC is non-destructive

• Only sends hostname, whoami, workflow, run_id — no secrets or tokens
• Does not modify any production data
• Purpose: prove execution context before filing a security report

Suggested Fix

Add source validation to code-cover-publish.yaml:

- name: Verify PR source
  run: |
    if [[ "${{ github.event.workflow_run.head_repository.full_name }}" != "cockroachdb/cockroach" ]]; then
      echo "Artifact from untrusted fork, skipping"
      exit 1
    fi

And migrate from static service account key to OIDC (Workload Identity Federation).

[trunk-io]

Merging to master in this repository is managed by Trunk.

• To merge this pull request, check the box to the left or comment /trunk merge below.

After your PR is submitted to the merge queue, this comment will be automatically updated with its status. If the PR fails, failure details will also be posted here

[blathers-crl]

Thank you for contributing to CockroachDB. Please ensure you have followed the guidelines for creating a PR.

Before a member of our team reviews your PR, I have some potential action items for you:

• Please ensure your git commit message contains a release note.
• When CI has completed, please ensure no errors have appeared.

_{🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.}

[cockroach-teamcity]

This change is 

[cockroachlabs-cla-agent]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[blathers-crl]

Thank you for updating your pull request.

Before a member of our team reviews your PR, I have some potential action items for you:

• We notice you have more than one commit in your PR. We try break logical changes into separate commits, but commits such as "fix typo" or "address review commits" should be squashed into one commit and pushed with --force
• Please ensure your git commit message contains a release note.
• When CI has completed, please ensure no errors have appeared.

_{🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.}

[blathers-crl]

Thank you for updating your pull request.

Before a member of our team reviews your PR, I have some potential action items for you:

• We notice you have more than one commit in your PR. We try break logical changes into separate commits, but commits such as "fix typo" or "address review commits" should be squashed into one commit and pushed with --force
• Please ensure your git commit message contains a release note.
• When CI has completed, please ensure no errors have appeared.

_{🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.}

[blathers-crl]

Thank you for updating your pull request.

Before a member of our team reviews your PR, I have some potential action items for you:

• We notice you have more than one commit in your PR. We try break logical changes into separate commits, but commits such as "fix typo" or "address review commits" should be squashed into one commit and pushed with --force
• Please ensure your git commit message contains a release note.
• When CI has completed, please ensure no errors have appeared.

_{🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.}

[blathers-crl]

Thank you for updating your pull request.

Before a member of our team reviews your PR, I have some potential action items for you:

• We notice you have more than one commit in your PR. We try break logical changes into separate commits, but commits such as "fix typo" or "address review commits" should be squashed into one commit and pushed with --force
• Please ensure your git commit message contains a release note.
• When CI has completed, please ensure no errors have appeared.

_{🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.}

[blathers-crl]

Thank you for updating your pull request.

Before a member of our team reviews your PR, I have some potential action items for you:

• We notice you have more than one commit in your PR. We try break logical changes into separate commits, but commits such as "fix typo" or "address review commits" should be squashed into one commit and pushed with --force
• Please ensure your git commit message contains a release note.
• When CI has completed, please ensure no errors have appeared.

_{🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.}