To me (someone unfamiliar with Github actions) making the whole workflow read-only like this feels like it'd be the safer approach than limiting tool-calls of a program running within that workflow using its config, and the fact that a read-only workflow can poison GitHub Actions' cache such that other less-restricted workflows execute arbitrary code is an unexpected footgun.
Yeah but this is the thing, that's just text. If I tell someone "you can't post on HN anymore", whether they won't is entirely up to them.
Permissions in context or text are weak, these tools - especially the ones that operate on untrusted input - need to have hard constraints, like no merge permissions.
To be clear - the text I pasted is config for the Github actions workflow, not just part of a prompt being given to a model. The authors seemingly understood that the LLM could be prompt-injected run arbitrary code so put it in a workflow with read-only access to the repo.
I put 50% of the blame on GitHub, and 50% of the blame on postinstall. A cache is expected to have no observable effects other than increased storage usage and decreased download time. A package cache must not be able to inject malware.
GitHub could
1. Call the Actions Cache the "Actions key-value database that can be written to by any workflow and breaks the idempotence of your builds" (unlikely)
2. Disable install scripts (unlikely)
3. Make an individually configured package cache unnecessary by caching HTTP requests to package repositories [^1]
4. Make the actions cache versioned as if it were a folder in the repo itself. This way, it can still be an arbitrary build + package cache, but modifications from one branch can't change the behavior of workflows on another branch.
[1]: Assuming most of the work saved is downloading the packages.
Boundary was meant to be that the workflow only had read-only access to the repository:
> # - contents: read -> Claude can read the codebase but CANNOT write/push any code
> [...]
> # This ensures that even if a malicious user attempts prompt injection via issue content,
> # Claude cannot modify repository code, create branches, or open PRs.
https://github.com/cline/cline/blob/7bdbf0a9a745f6abc09483fe...
To me (someone unfamiliar with Github actions) making the whole workflow read-only like this feels like it'd be the safer approach than limiting tool-calls of a program running within that workflow using its config, and the fact that a read-only workflow can poison GitHub Actions' cache such that other less-restricted workflows execute arbitrary code is an unexpected footgun.