From 95426f5c78aaf4699f9cbf6d25dec67e09e835c0 Mon Sep 17 00:00:00 2001
From: Giles Cope <gilescope@gmail.com>
Date: Thu, 11 Jun 2026 17:43:56 +0100
Subject: [PATCH] fix: harden archive-changes workflow checkout

Quarantine the untrusted release ref to release-tree/ and source CI
assets (install-season action, season.yml) from a separate default-branch
checkout, so an arbitrary inputs.ref cannot execute code with the
workflow's contents:write token. Disable credential persistence on both
checkouts; the tag fetch authenticates explicitly via http.extraheader.

Assisted-by: Claude:claude-fable-5
Signed-off-by: Giles Cope <gilescope@gmail.com>
---
 .github/workflows/archive-changes.yml | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/archive-changes.yml b/.github/workflows/archive-changes.yml
index 150e6380b..37740dc59 100644
--- a/.github/workflows/archive-changes.yml
+++ b/.github/workflows/archive-changes.yml
@@ -92,18 +92,30 @@ jobs:
       pull-requests: write
     env:
       FORCE_COLOR: 1
+    defaults:
+      run:
+        working-directory: release-tree
     steps:
       - name: Checkout repo
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 #v6.0.3
         with:
+          path: ci-assets
+          persist-credentials: false
+          ref: ${{ github.event.repository.default_branch }}
+
+      - name: Checkout release ref
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 #v6.0.3
+        with:
+          path: release-tree
+          persist-credentials: false
           submodules: true
           ref: ${{ inputs.ref }}
 
       - name: Install Season
-        uses: ./.github/actions/install-season
+        uses: ./ci-assets/.github/actions/install-season
         with:
           gh-token: ${{ secrets.MIDNIGHTCI_PACKAGES_READ }}
-          config: ./.github/season.yml
+          config: ${{ github.workspace }}/ci-assets/.github/season.yml
 
       - name: Setup Env
         shell: bash
@@ -129,7 +141,9 @@ jobs:
         if: inputs.archive-changes == true
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: git fetch origin tag "$GIT_TAG_RELEASE"
+        run: >-
+          git -c http.https://github.com/.extraheader="AUTHORIZATION: bearer $GH_TOKEN"
+          fetch origin tag "$GIT_TAG_RELEASE"
 
       - name: Archive changes
         if: inputs.archive-changes == true