Following the discovery of a high-severity vulnerability in one of our GitHub Actions workflows (release-canary.yml, described in https://github.com/callstackincubator/react-native-bottom-tabs/security/advisories/GHSA-588g-38p4-gr6x), Callstack as an organization undertook a thorough review and implemented several key improvements to strengthen our CI/CD pipeline security and minimize the chance of similar issues in the future.
Removed the vulnerable release-canary.yml workflow
The workflow was deleted to eliminate the entry point that allowed for secret exfiltration via untrusted PRs.
While it didn’t affected any user of the react-native-bottom-tabs library, it could affect contributors, hence we decided to remove it.
We conducted a comprehensive audit across all repositories in both the Callstack and Callstack Incubator GitHub organizations:
Removed all pull_request_target triggers
This event type can execute forked code with write permissions, making it unsafe without strict controls.
Reviewed all workflows triggered by pull_request and issue_comment
We ensured these workflows don’t expose secrets or perform privileged operations based on untrusted input.
Pinned most of our GitHub Actions to commit hashes
While not directly related to this vulnerability, we're implementing it as a precautionary measure. This prevents unexpected changes in third-party actions from affecting our builds or introducing vulnerabilities. It’s not all of repositories with pinned actions yet, we’re doing it step-by-step and focus on the most popular Callstack libraries, which are already covered.
Enabling GitHub Advanced Security organization-wide
This ensures better coordination for future security disclosures and encourages proactive security hygiene across all projects.
By addressing both the immediate risk and the systemic causes, we’ve significantly improved the security posture of our open-source infrastructure. We're committed to maintaining a secure environment for contributors and users alike.