22778464265
64%

Ran 06 Mar 2026 07:30PM UTC

Jobs 1

Files 538

Run time 1min

Badge

Embed ▾

Committed 06 Mar 2026 07:21PM UTC coverage: 63.941% (+0.01%) from 63.927%

Build # 22778464265

Build Type

push

github

Committed by

web-flow

Commit Message

Harden CI workflows against prompt injection and supply chain attacks (#4034)

Apply security hardening to GitHub Actions workflows based on an audit
informed by the Clinejection and hackerbot-claw attack patterns:

- claude.yml: Add author_association checks to block untrusted users from
  invoking the AI agent, and restrict allowed_tools to prevent arbitrary
  shell execution via prompt injection
- issue-triage.yml: Remove Bash tool access (replaced with MCP GitHub
  tool for label listing), add prompt injection defense instruction
- CODEOWNERS: Protect CLAUDE.md, .claude/ skills, agents, and rules
  from unauthorized modification (poisoned system prompt vector)
- security-scan.yml: Pin codeql-action and govulncheck-action to SHA
  hashes (were using unpinned tag references)
- releaser.yml: Disable Go module cache for release builds to prevent
  cache poisoning attacks
- pr-size-labeler.yml: Move expression interpolation to env variable
  to prevent injection in github-script context
- image-build-and-publish.yml: Reduce permissions from contents:write
  to contents:read (no git write operations are performed)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Run Details

47302 of 73977 relevant lines covered (63.94%)

75.84 hits per line

Uncovered Existing Lines

Lines	Coverage	∆	File
2	79.79	-0.52%	pkg/transport/proxy/httpsse/http_proxy.go
2	57.89	-3.51%	pkg/transport/session/sse_session.go

Jobs

ID	Job ID	Ran	Files	Coverage
1	22778464265.1	06 Mar 2026 07:30PM UTC	538	63.94	GitHub Action Run

stacklok / toolhive / 22778464265
64%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Uncovered Existing Lines

Jobs

Source Files on build 22778464265

stacklok / toolhive / 22778464265 64%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Uncovered Existing Lines

Jobs

Source Files on build 22778464265

stacklok / toolhive / 22778464265
64%

README BADGES
x