Open bj00rn opened 3 months ago
Hey there, sorry for taking my time to respond, and feel free to contradict me if you think I am wrong. A proof-of-concept for an attack is also very welcome.
Securing secrets is hard
pull_request_target
allows to limit the context of actions to "protected" branches (main
, release
). (workflows of target branches are used)pull_request_target
Given a good reason, I might consider using pull_request
over pull_request_target
, this will however weaken the security in regard to maintainers.
Make workflow run workflow in source repo context to prevent secrets exposure.
pull_request_target
event will be run in target repo context and will have access to secretspull_request_target
event SHA is latests commit in target base branch, and running ui-tests here does not make sense as ui-tests will be run on latest commit in target branch.