CVE-2026-40903 - goshs ArtiPACKED GitHub Actions token leakage

rg -n "patrickhener/goshs|goshs|v2\\.0\\.0-beta\\.[0-5]|github.com/patrickhener/goshs" .
rg -n "actions/checkout|upload-artifact|download-artifact|artifact|persist-credentials|permissions:" .github/workflows
rg -n "\\.git|github-token|GITHUB_TOKEN|workspace|path:\\s*\\.|path:\\s*\\$\\{\\{ github.workspace \\}\\}" .github/workflows scripts Makefile* justfile* 2>/dev/null
go list -m all | rg "github.com/patrickhener/goshs"

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-40903 (goshs ArtiPACKED GitHub Actions token
leakage). Produce exactly one output:

- A reviewer-ready PR/change request that upgrades goshs, hardens GitHub
  Actions artifact handling, adds verification, and documents token/artifact
  cleanup, or
- TRIAGE.md if this repository does not own affected goshs usage, goshs
  packaging/release automation, or a safe patch path.

## Rules

- Scope only CVE-2026-40903 / GHSA-hpxj-9fgp-fhhf and directly related goshs
  artifact, provenance, and GitHub Actions hardening.
- Treat `GITHUB_TOKEN`, PATs, deploy keys, release tokens, `.git/config`,
  workflow logs, release artifacts, package checksums, SBOMs, provenance
  attestations, and build caches as sensitive.
- Do not download, inspect, print, or attach historical artifacts that may
  contain live or previously live credentials.
- Do not add broad workflow permissions to compensate for
  `persist-credentials: false`.
- Do not rewrite unrelated CI/CD architecture.
- Do not auto-merge.

## Steps

1. Inventory goshs ownership in this repository:
   Go manifests, vendored source, forks, package recipes, Nix files,
   Dockerfiles, release checksums, SBOMs, provenance attestations, mirrors,
   deployment manifests, build scripts, and generated artifacts.
2. Inventory GitHub Actions workflow exposure:
   - `actions/checkout` steps;
   - whether checkout sets `persist-credentials: false`;
   - `actions/upload-artifact` and custom artifact upload commands;
   - artifact paths that include `.`, `${{ github.workspace }}`, source root,
     `.git`, build caches, logs, release directories, or debug bundles;
   - job and workflow-level `permissions`;
   - release/publish jobs that can write tags, releases, packages, images, or
     deployment artifacts.
3. Determine every resolved goshs version. A target is vulnerable if it
   resolves to any version before `v2.0.0-beta.6`; prefer remediation to
   stable `v2.0.0+`.
4. If this repository does not use, package, fork, mirror, deploy, or verify
   goshs, stop with `TRIAGE.md` naming the files checked, why downstream
   exposure is not owned here, and the fixed target `goshs v2.0.0+` or
   `v2.0.0-beta.6+`.
5. Upgrade goshs references and regenerate every derived artifact this repo
   controls: lockfiles, checksums, SBOMs, package metadata, image tags/digests,
   provenance attestations, release manifests, and deployment evidence.
6. Harden GitHub Actions workflows that build, package, mirror, or publish
   goshs:
   - add `persist-credentials: false` to checkout steps unless an explicit
     authenticated push is required;
   - set explicit least-privilege `permissions`;
   - split read-only build jobs from release-writing jobs where practical;
   - prevent artifact uploads from including `.git`, full workspaces, hidden
     credentials, caches with repository metadata, or token-bearing logs;
   - prefer narrow artifact paths such as `dist/*.tar.gz`, `coverage/*.xml`,
     or generated reports with known contents.
7. Add workflow policy tests or static checks:
   - checkout in artifact-producing jobs must set `persist-credentials: false`;
   - artifact upload paths must not include `.git`, `.`, workspace root, or
     unrestricted globs;
   - write permissions are absent from non-release jobs;
   - release jobs document why write permissions are required.
8. Add safe artifact verification:
   - create a synthetic fixture or dry-run artifact manifest that proves `.git`
     is excluded;
   - run secret scanning against generated artifacts when the repository has a
     safe local build path;
   - verify no real token values are printed in logs.
9. Add a PR body section named `CVE-2026-40903 operator actions` that states:
   - goshs versions before and after the change;
   - which workflows used checkout credential persistence;
   - which artifacts could have included `.git` or workspace metadata;
   - whether historical artifacts should be expired or restricted;
   - whether repository tokens, deploy keys, release tokens, package tokens, or
     downstream release artifacts need rotation or rebuild;
   - which GitHub audit logs, workflow run logs, artifact download logs, and
     release events should be reviewed.
10. Run relevant validation: dependency resolution, package build, container
    build, workflow linting, static artifact-policy checks, SBOM refresh,
    checksum regeneration, provenance generation, secret scan, and any release
    dry-run available in this repository.
11. Use PR title:
    `fix(sec): remediate CVE-2026-40903 in goshs artifacts`.

## Stop conditions

- No goshs dependency, package, fork, mirror, release path, or deployment is
  controlled by this repository.
- This repository only consumes a fixed goshs release and does not depend on
  affected upstream artifacts.
- Historical artifact inspection would require downloading or printing
  credential-bearing artifacts.
- A release job genuinely needs credential persistence; document the need and
  isolate it from artifact-producing paths instead of silently accepting risk.
- Token rotation or artifact expiry requires repository-owner privileges not
  available to the agent; document the exact human action required.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.