Build secure GitHub Action for article translation #665
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…idation
This commit introduces a new secure auto-translate workflow that addresses
security vulnerabilities in the previous implementation. The workflow automates
article translation when maintainers add language labels to issues.
Key Security Improvements:
- Input validation and sanitization for all user-provided data
- Label whitelist (only allows: chinese, spanish, portuguese, italian, japanese, korean, ukrainian)
- URL validation against strict patterns (only freeCodeCamp News articles)
- Filename sanitization to prevent path traversal attacks
- Safe variable handling (no code injection vectors)
- Defense-in-depth validation at multiple layers
- Principle of least privilege for job permissions
- Comprehensive error handling and user notifications
New Files:
- .github/workflows/auto-translate-secure.yml - Main secure workflow
- scripts/validateAutoTranslateInput.js - Input validation helper
- scripts/sanitizeFilename.js - Filename sanitization helper
- docs/AUTO_TRANSLATE_WORKFLOW.md - Comprehensive documentation
Workflow Features:
- Triggers only on specific language labels
- Validates issue title format: [lang] Title
- Validates issue body contains valid freeCodeCamp article URL
- Fetches and commits original to main branch (articles/_raw/ and articles/{lang}/)
- Switches to auto-translate branch
- Performs AI translation using OpenAI
- Commits translated file to auto-translate branch
- Posts helpful comments to guide contributors
- Push retry with exponential backoff (2s, 4s, 8s, 16s)
- Concurrency control to prevent conflicts
Security Measures:
1. No code injection - all inputs validated and sanitized
2. No path traversal - filenames stripped to basename only
3. No arbitrary file operations - strict path validation
4. Minimal permissions per job
5. Trusted actions only (GitHub official + freeCodeCamp)
6. No eval() or dynamic code execution
7. Environment variables properly escaped
8. Clear separation of validation and execution
References: OWASP Input Validation, GitHub Actions Security Best Practices
…entation Replaces the existing auto-translate workflow with a comprehensive secure version that addresses all previous security vulnerabilities. Key Changes: - Added validation job that runs BEFORE translation - Comprehensive input sanitization for all user data - Label whitelist (chinese, spanish, portuguese, italian, japanese, korean, ukrainian) - URL validation (only freeCodeCamp News articles) - Filename sanitization to prevent path traversal - Safe variable handling throughout - Improved push retry with exponential backoff (4 retries: 2s, 4s, 8s, 16s) - Better user notifications (processing, success, failure comments) - Defense-in-depth validation at multiple layers - Job-level permissions (principle of least privilege) Security Improvements: ✅ No code injection - all inputs validated before use ✅ No path traversal - filenames sanitized to basename only ✅ No arbitrary URLs - strict pattern matching ✅ Proper error handling with clear messages ✅ Environment variables safely escaped ✅ Validation separated from execution The workflow maintains the same name and user experience while being completely rewritten for security.
- Rename ArticlesAutoTranslate.yml -> articles-auto-translate.yml for consistency - Remove docs/AUTO_TRANSLATE_WORKFLOW.md (not needed) - All workflows now use kebab-case naming
- Clean up workflow echo statements - Remove all emojis from code - Remove redundant comments - Keep code professional and minimal
Member
Author
|
@freeCodeCamp/i18n did you get a chance to review this? |
Member
|
LGTM |
miyaliu666
deleted the
claude/github-action-auto-translate-011CV5wpYfHyvALJFp3wqfat
branch
miyaliu666
added a commit
that referenced
this pull request
Dec 3, 2025
This reverts commit 602b765.
miyaliu666
added a commit
that referenced
this pull request
Dec 3, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.