[Safe Outputs Conformance] SEC-005: apply_samples.cjs references target-repo without an allowlist check or documented exemption

[github-actions]

Conformance Check Failure

Check ID: SEC-005
Severity: HIGH
Category: Security (Cross-Repository Validation)

Problem Description

The Safe Outputs conformance checker (scripts/check-safe-outputs-conformance.sh) flags actions/setup/js/apply_samples.cjs because it references a target repository (entry.arguments.repo) but does not contain an allowlist-validation token (allowedRepos / validateTargetRepo / checkAllowedRepo), nor a documented @safe-outputs-exempt SEC-005 annotation.

Under the spec, any handler that can act against a repository other than the current one MUST validate that repo against an allowlist before making API calls, so that agent-controlled content cannot redirect a write to an arbitrary repository.

Investigation shows this is a heuristic false positive: apply_samples.cjs is the deterministic replay driver for gh aw compile --use-samples. The single repo reference (around actions/setup/js/apply_samples.cjs:222) is used only to derive owner/repo for a read-only PR head-ref lookup (fetchPullRequestHeadRef) during sample replay — it performs no cross-repo write and is not driven by agent safe-output content. The correct remediation is therefore to record a documented exemption rather than add allowlist code, matching the established pattern already used in this codebase (e.g. resolve_transport_paths.cjs, resolve_host_repo.cjs, update_activation_comment.cjs).

Affected Components

• Files: actions/setup/js/apply_samples.cjs (target-repo reference near line 222)
• Handlers: replay driver only — no cross-repo write handler involved

🔍 Current vs Expected Behavior

Current Behavior

apply_samples.cjs reads entry.arguments.repo (falling back to GITHUB_REPOSITORY) to compute owner/repo for read-only PR head-ref API lookups during deterministic sample replay. It contains neither an allowlist check nor a @safe-outputs-exempt SEC-005 annotation, so SEC-005 reports it as a HIGH failure.

Expected Behavior

Either (a) the file performs allowlist validation before any cross-repo API call, or (b) — since the repo value is used only for read-only lookups and is not derived from agent safe-output content — the file carries a documented @safe-outputs-exempt SEC-005 annotation explaining why the allowlist requirement does not apply, consistent with the existing exemptions in actions/setup/js/.

Remediation Steps

This task can be assigned to a Copilot coding agent:

1. Confirm that actions/setup/js/apply_samples.cjs uses entry.arguments.repo only to construct owner/repo for read-only fetchPullRequestHeadRef lookups during sample replay, and performs no cross-repo write.
2. Add a documented exemption annotation near the top of the file in the same style as actions/setup/js/resolve_transport_paths.cjs, e.g.:
   // @safe-outputs-exempt SEC-005: target repo is used only for read-only PR head-ref lookups during deterministic sample replay; never derived from agent safe-output content and never used for a cross-repo write.
3. If, instead, a real cross-repo write path is discovered, add allowlist validation (validateTargetRepo / allowed-repos check) before the API call rather than an exemption.

Verification

After remediation, run:

bash scripts/check-safe-outputs-conformance.sh

The SEC-005 check should report PASS and the High Failures count should drop to 0.

References

• Safe Outputs Specification: docs/src/content/docs/specs/safe-outputs-specification.md
• Conformance Checker: scripts/check-safe-outputs-conformance.sh (SEC-005, lines ~165-192)
• Existing exemption pattern: actions/setup/js/resolve_transport_paths.cjs, actions/setup/js/resolve_host_repo.cjs
• Run ID: 27400439574

Generated by ✅ Daily Safe Outputs Conformance Checker · 66.5 AIC · ⌖ 12.9 AIC · ⊞ 6.6K · ◷

• expires on Jun 12, 2026, 11:12 PM UTC-08:00

[github-actions]

This issue was automatically closed because it expired on 2026-06-13T07:12:53.850Z.

Closed by Workflow