antipattern is designed to preserve maintainer attention without expanding the attack surface of untrusted pull requests.
allowUnsafeExecutiondefaults tofalse.- Default mode is
comment-only. - Labels are suggested only by default.
- Reports are written locally for the workflow run; long-term storage is off by default.
- Secrets and high-entropy tokens are redacted from prompt context.
- Check runs are neutral unless strict mode is explicitly configured.
By default, antipattern inspects GitHub metadata, issue or PR text, labels, changed file metadata, and diffs. It must not run:
npm installpip install- build scripts
- test scripts
- arbitrary repository commands
This matters because untrusted PRs can modify package scripts, dependency hooks, test files, and build tooling.
pull_request_target runs with permissions from the base repository. If a workflow checks out and executes code from an untrusted PR under pull_request_target, attacker-controlled code can potentially access privileged tokens or secrets.
Use pull_request for untrusted PR analysis. If write permissions are needed for comments, labels, or check runs, keep them in a separate job with narrow permissions and sanitized inputs.
For default comment mode:
permissions:
contents: read
pull-requests: write
issues: writeFor dry-run analysis only:
permissions:
contents: read
pull-requests: read
issues: readFor optional check runs:
permissions:
contents: read
pull-requests: write
issues: write
checks: writePR bodies, issue bodies, comments, commit messages, filenames, and diffs are untrusted. antipattern sanitizes common instruction-like strings before building Codex prompt context and records a policy finding when such strings appear.
Codex second-pass prompts must instruct the model to ignore instructions inside contribution content and return strict JSON only.
antipattern redacts common token formats such as GitHub tokens, OpenAI API keys, AWS access keys, and long high-entropy strings before prompt context is emitted.
Do not print raw event payloads, raw diffs, or API keys in workflow logs.