Is pull_request_target required for forks (doc may be outdated) #219
Comments
|
Hey, and thank you for raising this question! There's a chance that we could get rid of the token, maybe that would allow us to recommend a single event trigger in the future: #218. It's likely possible that the docs became outdated at some point, unfortunately I don't have the time currently to look into this in detail. |
ningziwen
added a commit
to runfinch/common-tests
that referenced
this issue
Nov 23, 2022
*Description of changes:* PR fixes the TODOs by repos being private Reference: amannn/action-semantic-pull-request#219 *Testing done:* N/A - [ X ] I've reviewed the guidance in CONTRIBUTING.md #### License Acceptance By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. Signed-off-by: Ziwen Ning <ningziwe@amazon.com>
ningziwen
added a commit
to runfinch/finch-core
that referenced
this issue
Nov 23, 2022
*Description of changes:* PR fixes the TODOs by repos being private Reference: amannn/action-semantic-pull-request#219 *Testing done:* N/A - [ X ] I've reviewed the guidance in CONTRIBUTING.md #### License Acceptance By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. Signed-off-by: Ziwen Ning <ningziwe@amazon.com>
|
I'd like to vote for this issue. The use of pull_request_target triggers Dangerous-Workflow in OpenSSF Scorecard because it permits a malicious repo or action to take advantage of the write permission. https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ |
BlairCurrey
added a commit
to BlairCurrey/trpc-koa-adapter
that referenced
this issue
Mar 17, 2024
- should work with forks and avoids potential secutity issue? amannn/action-semantic-pull-request#219
BlairCurrey
added a commit
to BlairCurrey/trpc-koa-adapter
that referenced
this issue
Mar 20, 2024
* ci: add lint pr workflow * chore: make first mention of tRPC and Koa links * chore: manual trigger for test * Revert "chore: manual trigger for test" This reverts commit bb5efac. * chore: attempt to trigger on pr * Revert "chore: attempt to trigger on pr" This reverts commit a8a192d. * chore: switch trigger - should work with forks and avoids potential secutity issue? amannn/action-semantic-pull-request#219 * ci: run tests against node version 16, 18, 20 * ci: fix node 16 tests * chore: rm commit msg lint linting in PR title. individual commits technically dont matter because they are squash/merged. * chore: rm typo item for unused pkg manager file * chore: make eslint stricter, apply to test * ci: add lint, format to gh workflow * chore: rm husky hooks * fix: gh action lint, install order * chore: update package lock
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
From the
pull_requestsection in Event triggers:However, according to Github documentation, the main difference between
pull_request_targetandpull_requestis that the former also gives write permissions, which does not seem to be required byaction-semantic-pull-request.Furthermore, a run triggered from a fork did finish successfully even though it's
pull_requestinstead ofpull_reuqest_targetin the corresponding workflow file.As a result, the documentation may be outdated.
To reproduce
pull_requestto be the triggering events.Expected behavior
Updated documentation.
The text was updated successfully, but these errors were encountered: