Harden workflow GitHub context handling

[enyst]

• A human has tested these changes.

---

Why

Part of the cross-repo fix for OpenHands/software-agent-sdk#3371. Workflow run: blocks should not interpolate attacker-influenced GitHub context, workflow inputs, or derived step outputs directly into shell scripts.

Summary

• Moves repository dispatch payloads, workflow inputs, PR refs, and step outputs through env: before shell use.
• Hardens CI, Docker image, npm publish, sync, and PR artifact workflows.
• Keeps generated metadata and comments using shell environment variables rather than direct ${{ ... }} interpolation.

Issue Number

Fixes OpenHands/software-agent-sdk#3371

How to Test

• python + PyYAML validation over all changed workflow/action YAML files across the audited repositories: validated changed yaml files: 33
• Repository scanner confirmed: remaining suspicious run blocks: 0
• git diff --check across all audited repositories

Video/Screenshots

Not applicable; workflow hardening only.

Type

• Bug fix
• Feature
• Refactor
• Breaking change
• Docs / chore

Notes

This PR was created by an AI agent (OpenHands) on behalf of the user.

@enyst can click here to continue refining the PR

---

🐳 Docker images for this PR

• GHCR package: https://github.com/OpenHands/agent-canvas/pkgs/container/agent-canvas

Component	Value
Image	ghcr.io/openhands/agent-canvas
Architectures	amd64, arm64
Agent Server	ghcr.io/openhands/agent-server:1.23.0-python
Automation	openhands-automation==1.0.0a3
Commit	38dd249897797440a0d0755f2d43e2e3d0b7a8a6

Pull (multi-arch manifest)

# Multi-arch manifest — Docker automatically pulls the correct architecture
docker pull ghcr.io/openhands/agent-canvas:sha-38dd249

Run

docker run -it --rm \
  -p 8000:8000 \
  ghcr.io/openhands/agent-canvas:sha-38dd249

All tags pushed for this build

ghcr.io/openhands/agent-canvas:sha-38dd249-amd64
ghcr.io/openhands/agent-canvas:openhands-issue-3371-workflow-env-amd64
ghcr.io/openhands/agent-canvas:pr-750-amd64
ghcr.io/openhands/agent-canvas:sha-38dd249-arm64
ghcr.io/openhands/agent-canvas:openhands-issue-3371-workflow-env-arm64
ghcr.io/openhands/agent-canvas:pr-750-arm64
ghcr.io/openhands/agent-canvas:sha-38dd249
ghcr.io/openhands/agent-canvas:openhands-issue-3371-workflow-env
ghcr.io/openhands/agent-canvas:pr-750

About Multi-Architecture Support

• Each tag (e.g., sha-38dd249) is a multi-arch manifest supporting both amd64 and arm64
• Docker automatically pulls the correct architecture for your platform
• Individual architecture tags (e.g., sha-38dd249-amd64) are also available if needed

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
agent-canvas	Ready	Preview, Comment	May 24, 2026 8:22am

[all-hands-bot]

🟡 Acceptable - Solid security hardening work with one inconsistency to address

[IMPROVEMENT OPPORTUNITIES]

The security improvements are well-executed overall, but there's an inconsistency in .github/workflows/ci.yml that should be addressed for completeness:

In the "Fetch PR head directly" step, PR_HEAD_REPO is properly moved through the env: block, but steps.pr_context.outputs.head_sha is still directly interpolated in three places. This is inconsistent with the PR's stated goal of moving step outputs through env vars and could leave a potential injection vector.

[RISK ASSESSMENT]
⚠️ Risk Assessment: 🟡 MEDIUM

This PR improves workflow security by hardening against GitHub context injection attacks. The changes correctly follow the principle of moving attacker-influenced data through environment variables in most cases. However, the remaining direct interpolation of head_sha in ci.yml is inconsistent with the security improvement and should be addressed for completeness. The fix is trivial and will close the remaining gap.

VERDICT:
✅ Worth merging after addressing the inconsistency noted above

KEY INSIGHT:
This PR successfully implements the principle of defense-in-depth for workflow security by routing GitHub context through environment variables, but should complete the pattern consistently across all step outputs.

---

Was this automated review useful? React with 👍 or 👎 to this review to help us measure review quality.
Workflow run: https://github.com/OpenHands/agent-canvas/actions/runs/26371144793

[github-actions]

📸 Snapshot Test Report

Warning

Snapshot comparison step crashed (timeout, OOM, or runner error) — diff results below may be incomplete or absent.
Check the CI logs for the full error output (look for the "Run snapshot comparison" step).

❌ 24 snapshots differ from the main branch baselines. Add the update-snapshots label to acknowledge intentional changes.

Category	Count
🔴 Changed	24
🆕 New	0
✅ Unchanged	49
Total	73

How to resolve:

• Unintentional diffs — the baselines on main may have moved since this branch was created. Merge the latest main into this branch and re-run CI.
• Intentional changes — add the update-snapshots label. CI will pass and the new screenshots become the baseline when this PR merges.

🔴 Changed snapshots (24)

automations

automations-no-automations

Expected (main)	Actual (PR)	Diff

backends-extended — 10 snapshots

backend-add-blank-disabled

Expected (main)	Actual (PR)	Diff

backend-add-cloud-advanced-open

Expected (main)	Actual (PR)	Diff

backend-add-cloud-no-key-disabled

Expected (main)	Actual (PR)	Diff

backend-add-form-partially-filled

Expected (main)	Actual (PR)	Diff

backend-add-local-ready

Expected (main)	Actual (PR)	Diff

backend-add-two-column-layout

Expected (main)	Actual (PR)	Diff

backend-add-whitespace-host-disabled

Expected (main)	Actual (PR)	Diff

backend-dropdown-two-backends

Expected (main)	Actual (PR)	Diff

backend-edit-prefilled

Expected (main)	Actual (PR)	Diff

backend-manage-two-listed

Expected (main)	Actual (PR)	Diff

backends — 3 snapshots

backend-add-modal

Expected (main)	Actual (PR)	Diff

backend-manage-modal

Expected (main)	Actual (PR)	Diff

backend-selector-open

Expected (main)	Actual (PR)	Diff

collapsible-thinking

think-action-collapsed

Expected (main)	Actual (PR)	Diff

mcp-page

mcp-slack-install-2-modal

Expected (main)	Actual (PR)	Diff

settings-page — 2 snapshots

add-backend-modal

Expected (main)	Actual (PR)	Diff

home-screen

Expected (main)	Actual (PR)	Diff

sidebar — 2 snapshots

sidebar-collapsed

Expected (main)	Actual (PR)	Diff

sidebar-filter-menu

Expected (main)	Actual (PR)	Diff

skills-page — 4 snapshots

skills-loaded

Expected (main)	Actual (PR)	Diff

skills-no-match

Expected (main)	Actual (PR)	Diff

skills-search-filtered

Expected (main)	Actual (PR)	Diff

skills-type-filter

Expected (main)	Actual (PR)	Diff

✅ Unchanged snapshots (49)

archived-conversation

• conversation-panel-with-archived-badges
• conversation-view-archived
• conversation-view-sandbox-error

automations

• automations-delete-modal
• automations-list-active-inactive
• automations-search-no-results

backends-extended

• backend-add-cloud-with-key-enabled
• backend-add-invalid-url-disabled
• backend-add-name-only-disabled
• backend-after-switch
• backend-cancel-nothing-saved
• backend-manage-after-removal
• backend-remove-cancelled
• backend-remove-confirmation
• backend-switch-overlay

changes-tab

• changes-deleted-file
• changes-diff-viewer
• changes-empty

collapsible-thinking

• reasoning-content-collapsed
• reasoning-content-expanded
• think-action-expanded

mcp-page

• mcp-custom-server-1-editor-open
• mcp-custom-server-2-url-filled
• mcp-custom-server-3-all-filled
• mcp-custom-server-4-installed
• mcp-custom-server-editor
• mcp-empty-installed
• mcp-search-filtered
• mcp-slack-install-1-marketplace
• mcp-slack-install-3-filled
• mcp-slack-install-4-installed

onboarding

• onboarding-step-0-choose-agent
• onboarding-step-1-check-backend
• onboarding-step-2-setup-llm
• onboarding-step-3-say-hello

projects-workspace-browser

• projects-workspace-browser

settings-page

• analytics-consent-modal
• settings-app-page
• settings-page

settings-secrets

• secrets-add-form-filled
• secrets-add-form
• secrets-after-save
• secrets-delete-confirm
• secrets-list

settings-verification

• condenser-settings
• verification-settings-off
• verification-settings-on

sidebar

• sidebar-conversation-panel

skills-page

• skills-empty

---

Generated by the Snapshot Tests workflow. This comment was created by an AI agent (OpenHands) on behalf of the repo maintainers.