security: harden CI actions and subprocess calls #34247

pull RinZ27 wants to merge 2 commits into bitcoin:master from RinZ27:security-hardening-ci-scripts changing 6 files +177 −80
  1. RinZ27 commented at 7:33 am on January 10, 2026: none

    Harden several CI and deployment scripts against potential injection vectors.

    Changes

    • .github/actions/configure-docker/action.yml: Migrated direct github context interpolation to intermediate environment variables to prevent potential script injection from untrusted context data.
    • contrib/macdeploy/macdeployqtplus: Refactored the codesign subprocess call to use shell=False and list-based arguments. Fixed several linting issues (E401, F841).
    • contrib/verify-binaries/verify.py:
      • Replaced wget with urllib.request for file retrieval, enforcing HTTP(S) protocols to mitigate potential LFI risks.
      • Fixed a bug in verify_with_gpg where an empty string was passed to the --output argument when no output file was specified.
      • Removed unused imports and cleaned up code.
    • contrib/verify-binaries/test.py: Updated run_verify to execute via shell=False.

    These changes reduce the attack surface for command injection in automated environments and local deployment scripts while improving code quality and reliability.

  2. DrahtBot commented at 7:33 am on January 10, 2026: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Code Coverage & Benchmarks

    For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/34247.

    Reviews

    See the guideline for information on the review process. A summary of reviews will appear here.

    Conflicts

    Reviewers, this pull request conflicts with the following ones:

    • #33592 (contrib: remove deprecated –deep signing from macdeployqtplus by amishhaa)
    • #29700 (kernel, refactor: return error status on all fatal errors by ryanofsky)
    • #26022 (Add util::ResultPtr class by ryanofsky)
    • #25722 (refactor: Use util::Result class for wallet loading by ryanofsky)

    If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

  3. in contrib/verify-binaries/verify.py:117 in a840629c2e outdated 
    116@@ -117,14 +117,12 @@ def download_with_wget(remote_file, local_file):
117 
118 
119 def download_lines_with_urllib(url) -> tuple[bool, list[str]]:
    maflcko commented at 11:15 am on January 10, 2026:
    this function is unused?
    RinZ27 commented at 1:24 pm on January 10, 2026:
    Thanks for catching this! I’ve removed the unused function.
  4. RinZ27 requested review from maflcko on Jan 10, 2026
  5. DrahtBot added the label CI failed on Jan 10, 2026
  6. DrahtBot commented at 11:24 pm on January 10, 2026: contributor

    🚧 At least one of the CI tasks failed. Task lint: https://github.com/bitcoin/bitcoin/actions/runs/20878966878/job/60007136878 LLM reason (✨ experimental): Lint Python code: unused import urllib.error detected by ruff causing lint check to fail.

    Try to run the tests locally, according to the documentation. However, a CI failure may still happen due to a number of reasons, for example:

    • Possibly due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.

    • A sanitizer issue, which can only be found by compiling with the sanitizer and running the affected test.

    • An intermittent issue.

    Leave a comment here, if you need help tracking down a confusing failure.

  7. RinZ27 force-pushed on Jan 11, 2026
  8. DrahtBot removed the label CI failed on Jan 11, 2026
  9. DrahtBot added the label CI failed on Jan 11, 2026
  10. DrahtBot removed the label CI failed on Jan 11, 2026
  11. DrahtBot added the label Needs rebase on Jan 14, 2026
  12. RinZ27 force-pushed on Jan 14, 2026
  13. RinZ27 force-pushed on Jan 14, 2026
  14. DrahtBot removed the label Needs rebase on Jan 14, 2026
  15. RinZ27 force-pushed on Jan 14, 2026
  16. DrahtBot added the label CI failed on Jan 14, 2026
  17. DrahtBot commented at 9:10 am on January 14, 2026: contributor

    🚧 At least one of the CI tasks failed. Task lint: https://github.com/bitcoin/bitcoin/actions/runs/20982150602/job/60321919489 LLM reason (✨ experimental): Lint checks failed due to trailing whitespace and missing trailing newline detected by ruff.

    Try to run the tests locally, according to the documentation. However, a CI failure may still happen due to a number of reasons, for example:

    • Possibly due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.

    • A sanitizer issue, which can only be found by compiling with the sanitizer and running the affected test.

    • An intermittent issue.

    Leave a comment here, if you need help tracking down a confusing failure.

  18. RinZ27 commented at 12:59 pm on January 14, 2026: none
    Fixed the linting issues (E401, F841, F821) in macdeployqtplus and verify.py. The lint job should pass now.
  19. RinZ27 force-pushed on Jan 15, 2026
  20. ci: harden GHA and CI scripts against injection 
    Harden GitHub Actions workflows and CI python scripts by avoiding direct embedding of untrusted GitHub context variables in shell scripts and preventing arbitrary command execution in container setup. Fixed several linting issues in contrib scripts and ensured proper checkout of merge commits for PR linting.
    0f38a70ff5
  21. Fix linting issues: trailing whitespace, missing newlines, and missing re import a89391d6a6
  22. RinZ27 force-pushed on Jan 19, 2026
  23. in contrib/verify-binaries/verify.py:125 in a89391d6a6 
    124+        with urllib.request.urlopen(url) as response, open(local_file, 'wb') as out_file:
125+            shutil.copyfileobj(response, out_file)
126+        return True, ""
127+    except HTTPError as e:
128+        return False, f"HTTPError: {e}"
129+    except Exception as e:
    maflcko commented at 10:49 am on January 20, 2026:
    none of the diff in this file makes any sense and contradicts even the pull request description.
  24. maflcko commented at 10:50 am on January 20, 2026: member

    Closing. This is an LLM bot producing ai slop.

    The hardening itself seems fine as a style cleanup, but all inputs are trusted anyway, so there is no rush in fixing this.

    However, if someone fixes this, it should be done by a human and not by a bot that produces slop.

  25. maflcko closed this on Jan 20, 2026
  26. maflcko commented at 10:53 am on January 20, 2026: member

    This also conflicts with pulls that remove the code: #33592 (contrib: remove deprecated –deep signing from macdeployqtplus by amishhaa)

    There is probably little value in changing code that is proposed to be deleted.

  27. RinZ27 deleted the branch on Jan 20, 2026


RinZ27 DrahtBot maflcko

Labels
CI failed

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-01-28 09:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me