Skip to content

chore(ci): prevent cross-workflow cache poisoning in pr-preview (CVE-2026-45321 mitigation)#8423

Merged
wise-king-sullyman merged 1 commit into
patternfly:mainfrom
gautamkrishnar:fix/cache-poisoning
May 19, 2026
Merged

chore(ci): prevent cross-workflow cache poisoning in pr-preview (CVE-2026-45321 mitigation)#8423
wise-king-sullyman merged 1 commit into
patternfly:mainfrom
gautamkrishnar:fix/cache-poisoning

Conversation

@gautamkrishnar

@gautamkrishnar gautamkrishnar commented May 19, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Contributor

Summary

  • Namespaces pr-preview.yml cache keys to prevent cross-workflow cache poisoning with release.yml
  • Mitigates the same GitHub Actions cache poisoning vector exploited in the TanStack supply-chain compromise (May 2026)

Background

On May 11, 2026, the Mini Shai-Hulud worm (CVE-2026-45321, CVSS 9.6) compromised 84 npm package artifacts across 42 @tanstack/* packages by chaining:

  1. Pwn Requestpull_request_target trigger that runs fork code with base repo privileges
  2. Cache poisoning — shared actions/cache keys across PR and release workflows, allowing malicious cache entries from PR builds to be restored in release builds
  3. OIDC token extraction — runner memory scraping to publish packages with valid SLSA Build Level 3 attestations

This repo's pr-preview.yml is susceptible to vectors 1 and 2. This PR addresses vector 2.

What changed

pr-preview.yml and release.yml shared identical cache keys:

# Both workflows used:
key: ${{ runner.os }}-yarn-cache-${{ hashFiles('yarn.lock') }}
key: ${{ runner.os }}-v4-${{ hashFiles('yarn.lock') }}

A malicious PR could poison the yarn or webpack cache, which would then be restored by release.yml during the next production build — injecting attacker-controlled code into published packages.

Fix: Added pr- prefix to all cache keys in pr-preview.yml:

key: ${{ runner.os }}-pr-yarn-cache-${{ hashFiles('yarn.lock') }}
key: ${{ runner.os }}-pr-v4-${{ hashFiles('yarn.lock') }}

Remaining risk (follow-up needed)

pr-preview.yml still uses pull_request_target and checks out fork PR code (lines 15-16), exposing SURGE_TOKEN, SURGE_LOGIN, and GH_PR_TOKEN to attacker-controlled code. Fixing this requires splitting into two workflows (pull_request build + workflow_run deploy)

References

Test plan

  • Verify pr-preview.yml and release.yml have no overlapping cache key prefixes
  • Confirm PR preview builds still work (cache miss on first run, then caches populate with new keys)
  • Confirm release builds are unaffected (their cache keys are unchanged)

Summary by CodeRabbit

  • Chores
    • Optimized pull request preview build caching to enhance performance and reduce build times for development workflows.

Review Change Stack

@gautamkrishnar
fix(ci): namespace pr-preview cache keys to prevent cross-workflow ca…
d062676 
…che poisoning

pr-preview and release workflows shared identical cache keys, allowing
a malicious PR to poison caches that release builds restore from.
@coderabbitai

coderabbitai Bot commented May 19, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Walkthrough

The pr-preview GitHub Actions workflow is updated to use PR-specific cache key prefixes. Yarn cache keys now use pr-yarn-cache instead of yarn-cache, and Webpack cache keys use pr-v4 instead of v4, ensuring PR builds maintain isolated caches.

Changes

CI Cache Configuration

Layer / File(s) Summary
PR-specific cache keys for Yarn and Webpack
.github/workflows/pr-preview.yml		 Yarn cache key and restore-keys prefixes change to pr-yarn-cache; Webpack cache key prefix changes to pr-v4. Cache isolation prevents PR preview builds from sharing cache entries with non-PR workflows.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The PR title follows conventional commit format with 'chore(ci)' prefix and clearly describes the cache key namespacing change, though it differs from the PR summary title which uses 'fix'.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@patternfly-build

patternfly-build commented May 19, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Preview: https://pf-pr-8423.surge.sh

A11y report: https://pf-pr-8423-a11y.surge.sh

@nicolethoen nicolethoen changed the title fix(ci): prevent cross-workflow cache poisoning in pr-preview (CVE-2026-45321 mitigation) chore(ci): prevent cross-workflow cache poisoning in pr-preview (CVE-2026-45321 mitigation) May 19, 2026
wise-king-sullyman
wise-king-sullyman approved these changes May 19, 2026
View reviewed changes

@wise-king-sullyman wise-king-sullyman left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@wise-king-sullyman wise-king-sullyman merged commit 4613dac into patternfly:main May 19, 2026
5 checks passed
@patternfly-build

patternfly-build commented May 19, 2026

Copy link
Copy Markdown
Collaborator

🎉 This PR is included in version 6.5.0-prerelease.94 🎉

The release is available on:

Your semantic-release bot 📦🚀

@gautamkrishnar gautamkrishnar deleted the fix/cache-poisoning branch May 20, 2026 14:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wise-king-sullyman wise-king-sullyman wise-king-sullyman approved these changes

Assignees

No one assigned

Labels

released on @prerelease

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gautamkrishnar @patternfly-build @wise-king-sullyman