From 42c096c4419fc7db1ff75e0f43975b0524f9590b Mon Sep 17 00:00:00 2001
From: cx-noam-brendel <139764378+cx-noam-brendel@users.noreply.github.com>
Date: Sun, 10 May 2026 11:54:10 +0300
Subject: [PATCH] Remove pr-add-reviewers.yml (auto-add of compromised account)

The workflow's only step hard-coded `cx-plugins-releases` as a PR
reviewer. That account ("AST Sypher", astsypher@checkmarx.com) appears
compromised by the Mini Shai-Hulud supply-chain worm: on 2026-05-09 it
created 11 public Dune-themed repos containing exfiltrated secrets in
results/ directories (one ~52 MB), and the same day a rogue version
2026.5.09 of the checkmarx-ast-scanner Jenkins plugin was published
outside the release pipeline.

Removing the static reference until Security/IR completes the rotation
and a clean replacement reviewer is decided.
---
 .github/workflows/pr-add-reviewers.yml | 22 ----------------------
 1 file changed, 22 deletions(-)
 delete mode 100644 .github/workflows/pr-add-reviewers.yml

diff --git a/.github/workflows/pr-add-reviewers.yml b/.github/workflows/pr-add-reviewers.yml
deleted file mode 100644
index 23f5623b7..000000000
--- a/.github/workflows/pr-add-reviewers.yml
+++ /dev/null
@@ -1,22 +0,0 @@
-name: PR add reviewers
-on:
-  pull_request_target:
-    types: [ready_for_review, opened, reopened]
-
-permissions:
-  contents: none
-  issues: write
-  pull-requests: write
-
-jobs:
-  add-assignee-and-reviewers:
-    runs-on: ubuntu-latest
-    if: ${{ github.event.pull_request.user.type != 'Bot' }}
-    steps:
-      - name: Request reviewers
-        env:
-          GH_REPO: ${{ github.repository }}
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PRNUM: ${{ github.event.pull_request.number }}
-          PRAUTHOR: ${{ github.event.pull_request.user.login }}
-        run: gh pr edit $PRNUM --add-reviewer cx-plugins-releases