bj00rn
commented
2 weeks ago @thomasnordquist i'll merge. It turns out, checking out an explicit commit from source branch is inherently unsafe! Any untrusted code should be run in the context of the source repo!
I suggest we change event to pull_request to make tests run in the context of the source repo, with no access to secrets
pull_request_target event will be run in target repo context and will have access to secrets etc!
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/