From 1a95252f000e7289c6e2d27d2eb6ee409f867bf5 Mon Sep 17 00:00:00 2001 From: Predrag Gruevski <2348618+obi1kenobi@users.noreply.github.com> Date: Mon, 14 Nov 2022 14:34:08 -0500 Subject: [PATCH] Use `pull_request` not `pull_request_target` in GitHub Actions. (#139) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `pull_request` runs on the merge commit between the opened PR and the target branch where the PR is to be merged — `master` in this case. This is desirable because that way the new changes get linted and tested. The existing `pull_request_target` specifier causes lint and test to run _on the target branch itself_ (i.e. `master` in this case). That way the new code in the PR doesn't get linted and tested at all. This can also lead to security vulnerabilities, as described in the GitHub docs: ![image](https://user-images.githubusercontent.com/2348618/201735153-c5dd0c03-2490-45e9-b7f9-f0d47eb0109f.png) Screenshot from here: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target Link from the screenshot: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ --- .github/workflows/lint.yml | 2 +- .github/workflows/test.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 8d56deda..68e02335 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,6 +1,6 @@ name: lint -on: [push, pull_request_target] +on: [push, pull_request] jobs: build: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ad0def9e..54b61276 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,6 +1,6 @@ name: test -on: [push, pull_request_target] +on: [push, pull_request] jobs: build: