The pull request target is inherently fragile and prone to security vulnerabilities. The only reason we used it was to put our testing project name, our testing service account email (not key), and WIF provider pool ID into secrets. In fact, all three of those values aren't necessarily secrets and work just as well in environment variables.
We will still need to vet a PR before clicking "approve and run," but that's a much smaller attack surface area than pull request target.
The pull request target is inherently fragile and prone to security vulnerabilities. The only reason we used it was to put our testing project name, our testing service account email (not key), and WIF provider pool ID into secrets. In fact, all three of those values aren't necessarily secrets and work just as well in environment variables.
We will still need to vet a PR before clicking "approve and run," but that's a much smaller attack surface area than pull request target.