security: harden CI actions and subprocess calls #34247

pull RinZ27 wants to merge 1 commits into bitcoin:master from RinZ27:security-hardening-ci-scripts changing 4 files +64 −26
  1. RinZ27 commented at 7:33 am on January 10, 2026: none

    Harden several CI and deployment scripts against potential injection vectors.

    Changes

    • .github/actions/configure-docker/action.yml: Migrated direct github context interpolation to intermediate environment variables. This follows security best practices to prevent potential script injection from untrusted context data.
    • contrib/macdeploy/macdeployqtplus: Refactored the codesign subprocess call to use shell=False and list-based arguments. Fixed several linting issues (E401, F841).
    • contrib/verify-binaries/verify.py:
      • Replaced urllib with wget for safer file retrieval, mitigating potential LFI risks.
      • Fixed a bug in verify_with_gpg where an empty string was passed to the --output argument when no output file was specified.
      • Removed unused imports and cleaned up code.
    • contrib/verify-binaries/test.py: Updated run_verify to execute via shell=False.

    These changes reduce the attack surface for command injection in automated environments and local deployment scripts while improving code quality and reliability.

  2. DrahtBot commented at 7:33 am on January 10, 2026: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Code Coverage & Benchmarks

    For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/34247.

    Reviews

    See the guideline for information on the review process. A summary of reviews will appear here.

    Conflicts

    Reviewers, this pull request conflicts with the following ones:

    • #34260 (contrib: Remove unused functions by maflcko)
    • #33592 (contrib: remove deprecated –deep signing from macdeployqtplus by amishhaa)

    If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

  3. in contrib/verify-binaries/verify.py:117 in a840629c2e outdated 
    116@@ -117,14 +117,12 @@ def download_with_wget(remote_file, local_file):
117 
118 
119 def download_lines_with_urllib(url) -> tuple[bool, list[str]]:
    maflcko commented at 11:15 am on January 10, 2026:
    this function is unused?
    RinZ27 commented at 1:24 pm on January 10, 2026:
    Thanks for catching this! I’ve removed the unused function.
  4. RinZ27 requested review from maflcko on Jan 10, 2026
  5. DrahtBot added the label CI failed on Jan 10, 2026
  6. DrahtBot commented at 11:24 pm on January 10, 2026: contributor

    🚧 At least one of the CI tasks failed. Task lint: https://github.com/bitcoin/bitcoin/actions/runs/20878966878/job/60007136878 LLM reason (✨ experimental): Lint Python code: unused import urllib.error detected by ruff causing lint check to fail.

    Try to run the tests locally, according to the documentation. However, a CI failure may still happen due to a number of reasons, for example:

    • Possibly due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.

    • A sanitizer issue, which can only be found by compiling with the sanitizer and running the affected test.

    • An intermittent issue.

    Leave a comment here, if you need help tracking down a confusing failure.

  7. RinZ27 force-pushed on Jan 11, 2026
  8. DrahtBot removed the label CI failed on Jan 11, 2026
  9. DrahtBot added the label CI failed on Jan 11, 2026
  10. DrahtBot removed the label CI failed on Jan 11, 2026
  11. DrahtBot added the label Needs rebase on Jan 14, 2026
  12. RinZ27 force-pushed on Jan 14, 2026
  13. security: harden CI actions and subprocess calls 
    - Mitigate potential GHA injection in configure-docker action by using intermediate environment variables for github context data.
- Refactor subprocess calls in macdeployqtplus and verify-binaries to use shell=False and list-based arguments.
- Harden verify.py against LFI by enforcing http/https protocols for URL downloads and ensuring thread safety.
- Fix a bug in verify_with_gpg where an empty string was passed to --output when no output file was specified.
- Clean up unused imports and functions in verify-binaries scripts.
    a001b4c57f
  14. RinZ27 force-pushed on Jan 14, 2026
  15. DrahtBot removed the label Needs rebase on Jan 14, 2026


RinZ27 DrahtBot maflcko


maflcko

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-01-14 06:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me