Skip to content

feat(ci): enhance W6 trigger security with input validation and tag protection #136

New issue
New issue
Open
Open
feat(ci): enhance W6 trigger security with input validation and tag protection#136
Assignees
aRustyDev
Labels
cicdCI/CD pipelines and automation infrastructureenhancementNew feature or request
@aRustyDev

Description

@aRustyDev
aRustyDev
opened on Jan 20, 2026

Context

W6 (Release Atomic Chart) currently uses workflow_dispatch which can be triggered externally via the GitHub API by anyone with write access to the repository.

We're implementing repository_dispatch + GitHub App token as the primary approach, but there are additional security enhancements to consider.

Enhancement Ideas

Input Validation

  • Add regex validation for tag format in the dispatch handler
  • Validate that the tag exists before processing
  • Validate that the tag points to a commit on main

Branch/Tag Protection Rules

  • Configure tag protection rules to limit who can create release tags
  • Pattern: *-v* (matches cloudflared-v0.1.0, etc.)
  • Require specific actors (GitHub App, admins) for tag creation

Audit Logging

  • Log all dispatch events with actor information
  • Track manual vs automated releases

Related

  • W6 workflow: .github/workflows/release-atomic-chart.yaml
  • W6-Tag workflow: .github/workflows/tag-atomic-chart.yaml

Labels

  • enhancement
  • cicd

Metadata

Metadata

Assignees

Labels

cicdCI/CD pipelines and automation infrastructureenhancementNew feature or request

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions