fix(check-rendered-specs): add source-origin preflight guard#17775
Open
liunan-ms wants to merge 1 commit into
Open
fix(check-rendered-specs): add source-origin preflight guard#17775liunan-ms wants to merge 1 commit into
liunan-ms wants to merge 1 commit into
Conversation
liunan-ms
force-pushed
the
liunan/source-origin-guard-fork
branch
from
03c0c99 to
3cc9a4f
Compare
liunan-ms
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds a defense-in-depth preflight guard to the rendered-specs PR check workflow to ensure the resolved Fedora dist-git, lookaside, and source repo base URIs match a trusted allowlist before running azldev component update / azldev component render, reducing the risk of fork PRs redirecting source fetches.
Changes:
- Added a new Python guard script that reads
azldev config dump -f jsonand validates Fedora source-origin URIs against an allowlist. - Wired the guard into the GitHub Actions rendered-specs check workflow so it runs before lock updates and before renders (inside the container).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| scripts/ci/render-specs-check/source_origin_guard.py | New source-origin allowlist validator for resolved Fedora endpoints from azldev config dump. |
| .github/workflows/check-rendered-specs.yml | Runs the new guard inside the container before azldev component update and before render logic. |
liunan-ms
force-pushed
the
liunan/source-origin-guard-fork
branch
from
3cc9a4f to
05d3aaf
Compare
tobiasb-ms
requested changes
Jun 22, 2026
tobiasb-ms
approved these changes
Jun 23, 2026
tobiasb-ms
left a comment
tobiasb-ms
left a comment
Contributor
There was a problem hiding this comment.
issue(non-blocking): I'd prefer if you rebased so this is one commit -- the second commit is logically part of the initial implementation.
liunan-ms
force-pushed
the
liunan/source-origin-guard-fork
branch
from
ff2f442 to
2ae0e8b
Compare
christopherco
requested changes
Jun 25, 2026
Collaborator
There was a problem hiding this comment.
Code changes themselves look good. Requesting to update your commit message in your commit to add a short explanation of the changes. We're doing rebase-merge commits of PRs now, so the commit itself is what is added to the final git tree, including its commit title and message. We need our future git log to have useful commit message information.
The rendered-specs PR check runs `azldev component update`/`render`, which fetch Fedora dist-git, lookaside, and source-repo content based on the resolved azldev config. A fork PR could redirect those base URIs to attacker -controlled endpoints, causing the trusted CI container to fetch and process untrusted sources. Add a defense-in-depth preflight guard that runs before any fetch/update or render: - New `scripts/ci/render-specs-check/source_origin_guard.py` reads `azldev config dump -f json` and validates the resolved Fedora `distGitBaseUri`, `lookasideBaseUri`, and repo base URIs against an allowlist duplicated from the trusted defaults in `distro/fedora.distro.toml`. It fails the job with a clear error if any origin drifts from the expected values. - Wire the guard into `.github/workflows/check-rendered-specs.yml` so it runs inside the container before `azldev component update` and before the render logic. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
liunan-ms
force-pushed
the
liunan/source-origin-guard-fork
branch
from
2ae0e8b to
e5deebc
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds a preflight source-origin allowlist check before
azldev component update/renderin the rendered-spec PR path. The new guard validates the resolved Fedora dist-git and lookaside URIs fromazldev config dumpand fails fast if they differ from the trusted Fedora endpoints, preventing fork PRs from redirecting source fetches to attacker-controlled infrastructure.Fixes: AB#22017