-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: make greetings on PR First-time Contrib #8885
base: develop
Are you sure you want to change the base?
Conversation
@@ -0,0 +1,32 @@ | |||
name: Greetings | |||
|
|||
on: [pull_request_target] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
really need to run on pull_requedt_target
not pull_request
only?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TL;DR: Combining
pull_request_target
workflow trigger with an explicit checkout of an untrusted PR is a dangerous practice that may lead to repository compromise.Any automated processing of PRs from an external fork is potentially dangerous and such PRs should be treated like untrusted input.
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
pull_requedt_target
should not be used for security reasons.
By Claude 3 Sonnet. Q: We are running an open source project on GitHub and using GitHub Actions for all pull requests. What are the security considerations when using When using the
To mitigate these risks, consider the following best practices:
By following these best practices, you can mitigate the risks associated with running untrusted code in your GitHub Actions workflows and maintain a secure environment for your open-source project. |
Description
Ref codeigniter4/CodeIgniter4#8878.
Checklist: