fix(ci): use env vars instead of secrets in cron workflow run: blocks#28564
Open
camgrimsec wants to merge 2 commits intocalcom:mainfrom
Open
fix(ci): use env vars instead of secrets in cron workflow run: blocks#28564camgrimsec wants to merge 2 commits intocalcom:mainfrom
camgrimsec wants to merge 2 commits intocalcom:mainfrom
Conversation
Move secret references from direct ${{ secrets.* }} interpolation in
run: steps to shell environment variables ($APP_URL, $CRON_API_KEY).
The env: block at job level already populates these from secrets, so
the run: blocks should reference the environment variables instead of
re-interpolating the secrets. This prevents secrets from appearing in
/proc/PID/cmdline (process argument lists) where they could be
harvested by a compromised action sharing the same runner.
Affected workflows (10 files):
- cron-bookingReminder.yml
- cron-changeTimeZone.yml
- cron-checkSmsPrices.yml
- cron-downgradeUsers.yml
- cron-monthlyDigestEmail.yml
- cron-scheduleEmailReminders.yml
- cron-scheduleSMSReminders.yml
- cron-scheduleWhatsappReminders.yml
- cron-syncAppMeta.yml
- cron-webhooks-triggers.yml
Breaking changes: None. Behavioral equivalent — same values flow to
the same commands through safer channels.
|
DevSecOps Pipeline seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
10 issues found across 10 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/cron-downgradeUsers.yml">
<violation number="1" location=".github/workflows/cron-downgradeUsers.yml:23">
P1: Authorization header uses single quotes, so `$CRON_API_KEY` is sent literally and cron authentication fails.</violation>
</file>
<file name=".github/workflows/cron-scheduleWhatsappReminders.yml">
<violation number="1" location=".github/workflows/cron-scheduleWhatsappReminders.yml:15">
P2: US cron API key is mapped from an undefined env var, causing the US cron step condition to evaluate false and skip execution.</violation>
</file>
<file name=".github/workflows/cron-syncAppMeta.yml">
<violation number="1" location=".github/workflows/cron-syncAppMeta.yml:23">
P1: Authorization header uses single quotes, so `$CRON_API_KEY` is not expanded and cron auth fails.</violation>
</file>
<file name=".github/workflows/cron-scheduleEmailReminders.yml">
<violation number="1" location=".github/workflows/cron-scheduleEmailReminders.yml:24">
P1: Authorization header uses single quotes, so `$CRON_API_KEY` is not expanded and cron authentication will fail.</violation>
</file>
<file name=".github/workflows/cron-checkSmsPrices.yml">
<violation number="1" location=".github/workflows/cron-checkSmsPrices.yml:22">
P1: Authorization header is single-quoted, so `$CRON_API_KEY` is not expanded and cron auth will fail.</violation>
</file>
<file name=".github/workflows/cron-monthlyDigestEmail.yml">
<violation number="1" location=".github/workflows/cron-monthlyDigestEmail.yml:32">
P1: Authorization header uses single quotes, so `$CRON_API_KEY` is not expanded and cron auth fails.</violation>
</file>
<file name=".github/workflows/cron-bookingReminder.yml">
<violation number="1" location=".github/workflows/cron-bookingReminder.yml:22">
P1: Authorization header uses single quotes, so `$CRON_API_KEY` is not expanded and the cron request sends a literal token string.</violation>
</file>
<file name=".github/workflows/cron-changeTimeZone.yml">
<violation number="1" location=".github/workflows/cron-changeTimeZone.yml:23">
P1: Authorization header uses single quotes, so `$CRON_API_KEY` is not expanded and cron authentication will fail.</violation>
</file>
<file name=".github/workflows/cron-scheduleSMSReminders.yml">
<violation number="1" location=".github/workflows/cron-scheduleSMSReminders.yml:14">
P2: CRON_API_KEY_US is sourced from env.CRON_API_KEY, but CRON_API_KEY isn’t defined anywhere in this workflow. That leaves CRON_API_KEY_US empty and causes the US cron step to be skipped.</violation>
</file>
<file name=".github/workflows/cron-webhooks-triggers.yml">
<violation number="1" location=".github/workflows/cron-webhooks-triggers.yml:14">
P2: `CRON_API_KEY_US` now references `env.CRON_API_KEY`, but this workflow does not define `CRON_API_KEY` in any env scope. That leaves `CRON_API_KEY_US` empty and the US curl step is skipped by its `if` guard.</violation>
</file>
Since this is your first cubic review, here's how it works:
- cubic automatically reviews your code and comments on bugs and improvements
- Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
- Add one-off context when rerunning by tagging
@cubic-dev-aiwith guidance or docs links (includingllms.txt) - Ask questions if you need clarification on any suggestion
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| -X POST \ | ||
| -H 'content-type: application/json' \ | ||
| -H 'authorization: ${{ secrets.CRON_API_KEY }}' \ | ||
| -H 'authorization: $CRON_API_KEY' \ |
Contributor
There was a problem hiding this comment.
P1: Authorization header uses single quotes, so $CRON_API_KEY is not expanded and cron auth fails.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/cron-syncAppMeta.yml, line 23:
<comment>Authorization header uses single quotes, so `$CRON_API_KEY` is not expanded and cron auth fails.</comment>
<file context>
@@ -17,8 +17,8 @@ jobs:
-X POST \
-H 'content-type: application/json' \
- -H 'authorization: ${{ secrets.CRON_API_KEY }}' \
+ -H 'authorization: $CRON_API_KEY' \
-sSf
</file context>
| -X POST \ | ||
| -H 'content-type: application/json' \ | ||
| -H 'authorization: ${{ secrets.CRON_API_KEY }}' \ | ||
| -H 'authorization: $CRON_API_KEY' \ |
Contributor
There was a problem hiding this comment.
P1: Authorization header uses single quotes, so $CRON_API_KEY is not expanded and cron authentication will fail.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/cron-scheduleEmailReminders.yml, line 24:
<comment>Authorization header uses single quotes, so `$CRON_API_KEY` is not expanded and cron authentication will fail.</comment>
<file context>
@@ -18,8 +18,8 @@ jobs:
-X POST \
-H 'content-type: application/json' \
- -H 'authorization: ${{ secrets.CRON_API_KEY }}' \
+ -H 'authorization: $CRON_API_KEY' \
-sSf
</file context>
Suggested change
| -H 'authorization: $CRON_API_KEY' \ | |
| + -H "authorization: $CRON_API_KEY" \ |
| -X POST \ | ||
| -H 'content-type: application/json' \ | ||
| -H 'authorization: ${{ secrets.CRON_API_KEY }}' \ | ||
| -H 'authorization: $CRON_API_KEY' \ |
Contributor
There was a problem hiding this comment.
P1: Authorization header is single-quoted, so $CRON_API_KEY is not expanded and cron auth will fail.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/cron-checkSmsPrices.yml, line 22:
<comment>Authorization header is single-quoted, so `$CRON_API_KEY` is not expanded and cron auth will fail.</comment>
<file context>
@@ -16,8 +16,8 @@ jobs:
-X POST \
-H 'content-type: application/json' \
- -H 'authorization: ${{ secrets.CRON_API_KEY }}' \
+ -H 'authorization: $CRON_API_KEY' \
--fail
</file context>
| -X POST \ | ||
| -H 'content-type: application/json' \ | ||
| -H 'authorization: ${{ secrets.CRON_API_KEY }}' \ | ||
| -H 'authorization: $CRON_API_KEY' \ |
Contributor
There was a problem hiding this comment.
P1: Authorization header uses single quotes, so $CRON_API_KEY is not expanded and cron auth fails.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/cron-monthlyDigestEmail.yml, line 32:
<comment>Authorization header uses single quotes, so `$CRON_API_KEY` is not expanded and cron auth fails.</comment>
<file context>
@@ -26,8 +26,8 @@ jobs:
-X POST \
-H 'content-type: application/json' \
- -H 'authorization: ${{ secrets.CRON_API_KEY }}' \
+ -H 'authorization: $CRON_API_KEY' \
--fail
</file context>
Suggested change
| -H 'authorization: $CRON_API_KEY' \ | |
| -H "authorization: $CRON_API_KEY" \ |
| -X POST \ | ||
| -H 'content-type: application/json' \ | ||
| -H 'authorization: ${{ secrets.CRON_API_KEY }}' \ | ||
| -H 'authorization: $CRON_API_KEY' \ |
Contributor
There was a problem hiding this comment.
P1: Authorization header uses single quotes, so $CRON_API_KEY is not expanded and the cron request sends a literal token string.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/cron-bookingReminder.yml, line 22:
<comment>Authorization header uses single quotes, so `$CRON_API_KEY` is not expanded and the cron request sends a literal token string.</comment>
<file context>
@@ -16,8 +16,8 @@ jobs:
-X POST \
-H 'content-type: application/json' \
- -H 'authorization: ${{ secrets.CRON_API_KEY }}' \
+ -H 'authorization: $CRON_API_KEY' \
-sSf
</file context>
Suggested change
| -H 'authorization: $CRON_API_KEY' \ | |
| -H "authorization: $CRON_API_KEY" \ |
| -X POST \ | ||
| -H 'content-type: application/json' \ | ||
| -H 'authorization: ${{ secrets.CRON_API_KEY }}' \ | ||
| -H 'authorization: $CRON_API_KEY' \ |
Contributor
There was a problem hiding this comment.
P1: Authorization header uses single quotes, so $CRON_API_KEY is not expanded and cron authentication will fail.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/cron-changeTimeZone.yml, line 23:
<comment>Authorization header uses single quotes, so `$CRON_API_KEY` is not expanded and cron authentication will fail.</comment>
<file context>
@@ -17,8 +17,8 @@ jobs:
-X POST \
-H 'content-type: application/json' \
- -H 'authorization: ${{ secrets.CRON_API_KEY }}' \
+ -H 'authorization: $CRON_API_KEY' \
-sSf
</file context>
| APP_URL_US: ${{ vars.APP_URL_US }} | ||
| CRON_API_KEY_EU: ${{ secrets.CRON_API_KEY_EU }} | ||
| CRON_API_KEY_US: ${{ secrets.CRON_API_KEY }} | ||
| CRON_API_KEY_US: ${{ env.CRON_API_KEY }} |
Contributor
There was a problem hiding this comment.
P2: US cron API key is mapped from an undefined env var, causing the US cron step condition to evaluate false and skip execution.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/cron-scheduleWhatsappReminders.yml, line 15:
<comment>US cron API key is mapped from an undefined env var, causing the US cron step condition to evaluate false and skip execution.</comment>
<file context>
@@ -12,7 +12,7 @@ jobs:
APP_URL_US: ${{ vars.APP_URL_US }}
CRON_API_KEY_EU: ${{ secrets.CRON_API_KEY_EU }}
- CRON_API_KEY_US: ${{ secrets.CRON_API_KEY }}
+ CRON_API_KEY_US: ${{ env.CRON_API_KEY }}
runs-on: ubuntu-latest
steps:
</file context>
| APP_URL_US: ${{ vars.APP_URL_US }} | ||
| APP_URL_EU: ${{ vars.APP_URL_EU }} | ||
| CRON_API_KEY_US: ${{ secrets.CRON_API_KEY }} | ||
| CRON_API_KEY_US: ${{ env.CRON_API_KEY }} |
Contributor
There was a problem hiding this comment.
P2: CRON_API_KEY_US is sourced from env.CRON_API_KEY, but CRON_API_KEY isn’t defined anywhere in this workflow. That leaves CRON_API_KEY_US empty and causes the US cron step to be skipped.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/cron-scheduleSMSReminders.yml, line 14:
<comment>CRON_API_KEY_US is sourced from env.CRON_API_KEY, but CRON_API_KEY isn’t defined anywhere in this workflow. That leaves CRON_API_KEY_US empty and causes the US cron step to be skipped.</comment>
<file context>
@@ -11,7 +11,7 @@ jobs:
APP_URL_US: ${{ vars.APP_URL_US }}
APP_URL_EU: ${{ vars.APP_URL_EU }}
- CRON_API_KEY_US: ${{ secrets.CRON_API_KEY }}
+ CRON_API_KEY_US: ${{ env.CRON_API_KEY }}
CRON_API_KEY_EU: ${{ secrets.CRON_API_KEY_EU }}
runs-on: ubuntu-latest
</file context>
| APP_URL_US: ${{ vars.APP_URL_US }} | ||
| APP_URL_EU: ${{ vars.APP_URL_EU }} | ||
| CRON_API_KEY_US: ${{ secrets.CRON_API_KEY }} | ||
| CRON_API_KEY_US: ${{ env.CRON_API_KEY }} |
Contributor
There was a problem hiding this comment.
P2: CRON_API_KEY_US now references env.CRON_API_KEY, but this workflow does not define CRON_API_KEY in any env scope. That leaves CRON_API_KEY_US empty and the US curl step is skipped by its if guard.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/cron-webhooks-triggers.yml, line 14:
<comment>`CRON_API_KEY_US` now references `env.CRON_API_KEY`, but this workflow does not define `CRON_API_KEY` in any env scope. That leaves `CRON_API_KEY_US` empty and the US curl step is skipped by its `if` guard.</comment>
<file context>
@@ -11,7 +11,7 @@ jobs:
APP_URL_US: ${{ vars.APP_URL_US }}
APP_URL_EU: ${{ vars.APP_URL_EU }}
- CRON_API_KEY_US: ${{ secrets.CRON_API_KEY }}
+ CRON_API_KEY_US: ${{ env.CRON_API_KEY }}
CRON_API_KEY_EU: ${{ secrets.CRON_API_KEY_EU }}
runs-on: ubuntu-latest
</file context>
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Move secret references from direct ${{ secrets.* }} interpolation in run: steps to shell environment variables ($APP_URL, $CRON_API_KEY).
The env: block at job level already populates these from secrets, so the run: blocks should reference the environment variables instead of re-interpolating the secrets. This prevents secrets from appearing in /proc/PID/cmdline (process argument lists) where they could be harvested by a compromised action sharing the same runner.
Affected workflows (10 files):
Breaking changes: None. Behavioral equivalent — same values flow to the same commands through safer channels.
What does this PR do?
Visual Demo (For contributors especially)
A visual demonstration is strongly recommended, for both the original and new change (video / image - any one).
Video Demo (if applicable):
Image Demo (if applicable):
Mandatory Tasks (DO NOT REMOVE)
How should this be tested?
Checklist