Summary
The docs preview deploy references CLOUDFLARE_API_TOKEN in a step that shares a job — and an npm-installed toolchain — with PR-authored build code. This should be hardened so the token is never reachable by code a contributor controls.
Current behavior (.github/workflows/ci.yml)
- The single
CI job runs make ci, which installs the PR's pnpm-lock.yaml and runs PR-authored build steps.
- A later step in the same job runs
pnpm exec wrangler versions upload with CLOUDFLARE_API_TOKEN / CLOUDFLARE_ACCOUNT_ID to publish the PR preview.
- Because
wrangler resolves from the PR-installed node_modules, a malicious same-repo PR could tamper with the resolved toolchain so the token-bearing step exfiltrates the secret.
Scope / severity
- Fork PRs are already safe: no secrets are exposed to fork runs, and the deploy steps are gated to same-repo events.
- Exposure is limited to same-repo PRs, i.e. accounts with
write/push (currently the two admins) → low severity today, but it should be fixed before write access is granted more broadly.
Proposed fix (lands with the CI re-architecture)
Move preview + production docs deploy into a dedicated docs-deploy job that:
- installs
wrangler from trusted main (or a pinned version), not the PR tree;
- consumes only the static
docs/dist artifact built by the upstream build job; and
- is the only place
CLOUDFLARE_* is referenced (ideally scoped to a production Environment).
This removes PR-authored code from any job that can see the token.
Notes
Tracked separately so it isn't lost if the CI rework slips; the fix will most likely arrive as the docs-deploy extraction (Step 1 of the CI rework).
Summary
The docs preview deploy references
CLOUDFLARE_API_TOKENin a step that shares a job — and an npm-installed toolchain — with PR-authored build code. This should be hardened so the token is never reachable by code a contributor controls.Current behavior (
.github/workflows/ci.yml)CIjob runsmake ci, which installs the PR'spnpm-lock.yamland runs PR-authored build steps.pnpm exec wrangler versions uploadwithCLOUDFLARE_API_TOKEN/CLOUDFLARE_ACCOUNT_IDto publish the PR preview.wranglerresolves from the PR-installednode_modules, a malicious same-repo PR could tamper with the resolved toolchain so the token-bearing step exfiltrates the secret.Scope / severity
write/push(currently the two admins) → low severity today, but it should be fixed before write access is granted more broadly.Proposed fix (lands with the CI re-architecture)
Move preview + production docs deploy into a dedicated
docs-deployjob that:wranglerfrom trustedmain(or a pinned version), not the PR tree;docs/distartifact built by the upstreambuildjob; andCLOUDFLARE_*is referenced (ideally scoped to aproductionEnvironment).This removes PR-authored code from any job that can see the token.
Notes
Tracked separately so it isn't lost if the CI rework slips; the fix will most likely arrive as the
docs-deployextraction (Step 1 of the CI rework).