107 lines
4.3 KiB
YAML
107 lines
4.3 KiB
YAML
name: "Security: Fork PR Alert"
|
|
|
|
on:
|
|
pull_request:
|
|
types: [opened, synchronize, closed, reopened]
|
|
|
|
permissions:
|
|
pull-requests: write
|
|
contents: read
|
|
|
|
jobs:
|
|
fork-pr-monitor:
|
|
if: github.event.pull_request.head.repo.full_name != github.repository
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Check for suspicious patterns
|
|
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
|
|
with:
|
|
script: |
|
|
const pr = context.payload.pull_request;
|
|
const alerts = [];
|
|
|
|
// 1. Check for [skip ci] in commit messages from fork PRs
|
|
if (context.payload.action === 'opened' || context.payload.action === 'synchronize') {
|
|
const commits = await github.rest.pulls.listCommits({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
pull_number: pr.number,
|
|
per_page: 100
|
|
});
|
|
|
|
const skipCiCommits = commits.data.filter(c =>
|
|
/\[skip ci\]|\[ci skip\]|\[no ci\]/i.test(c.commit.message)
|
|
);
|
|
|
|
if (skipCiCommits.length > 0) {
|
|
alerts.push(`⚠️ **[skip ci] detected in fork PR** — ${skipCiCommits.length} commit(s) contain CI skip directives. Commits: ${skipCiCommits.map(c => c.sha.substring(0, 7)).join(', ')}`);
|
|
}
|
|
}
|
|
|
|
// 2. Check for force-push that reduces changed files to 0 (evidence cleanup)
|
|
if (context.payload.action === 'synchronize') {
|
|
const prDetails = await github.rest.pulls.get({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
pull_number: pr.number
|
|
});
|
|
|
|
if (prDetails.data.changed_files === 0) {
|
|
alerts.push(`🚨 **Zero-file fork PR after force-push** — PR was force-pushed to show 0 changed files. This matches the TanStack attack cleanup pattern.`);
|
|
}
|
|
}
|
|
|
|
// 3. Check for rapid open-then-close (PR used only to trigger CI)
|
|
if (context.payload.action === 'closed' && !pr.merged) {
|
|
const created = new Date(pr.created_at);
|
|
const closed = new Date(pr.closed_at);
|
|
const minutesOpen = (closed - created) / (1000 * 60);
|
|
|
|
if (minutesOpen < 30) {
|
|
alerts.push(`🚨 **Fork PR closed rapidly** — opened and closed within ${Math.round(minutesOpen)} minutes without merging. May indicate a CI-trigger-only attack.`);
|
|
}
|
|
}
|
|
|
|
// 4. Check for large bundled files (>5000 lines) added by the PR
|
|
if (context.payload.action === 'opened' || context.payload.action === 'synchronize') {
|
|
const files = await github.rest.pulls.listFiles({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
pull_number: pr.number,
|
|
per_page: 100
|
|
});
|
|
|
|
const largeNewFiles = files.data.filter(f =>
|
|
f.status === 'added' && f.additions > 5000
|
|
);
|
|
|
|
if (largeNewFiles.length > 0) {
|
|
alerts.push(`⚠️ **Large files added by fork PR** — ${largeNewFiles.map(f => '`' + f.filename + '` (' + f.additions + ' lines)').join(', ')}. Bundled payloads are a common supply-chain attack vector.`);
|
|
}
|
|
}
|
|
|
|
// Report alerts
|
|
if (alerts.length > 0) {
|
|
const body = [
|
|
'## 🔒 Supply Chain Security Alert',
|
|
'',
|
|
'This fork PR triggered the following security alerts:',
|
|
'',
|
|
alerts.join('\n\n'),
|
|
'',
|
|
'---',
|
|
'_Automated by supply-chain security monitor. See [TanStack incident](https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack) for context._'
|
|
].join('\n');
|
|
|
|
// Post as PR comment
|
|
await github.rest.issues.createComment({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
issue_number: pr.number,
|
|
body: body
|
|
});
|
|
|
|
// Also set the action as failed annotation
|
|
core.warning(alerts.join(' | '));
|
|
}
|