TheAlgorithms/Rust

Authentication is needed to run workflows for PR

Raghav-Bell opened this issue · 7 comments

Every time a new PR is opened workflows don't run automatically, which slows down contribution process (not scalable too).
I suggest to use pull_request_target instead of pull_request in github actions. More restrictions can be added using types. Check out references.

on: pull_request

References:

  1. pull_request_target github docs
  2. What is the difference between pull_request and pull_request_target event in GitHubActions
  3. Approval workflows github docs
siriak commented

Could you explain why pull_request_target is better? Is it correct that it uses "workflow yaml instructions" from the master branch, but Rust code from the feature branch?
I'm open to consider changing this, but please explain clearly the requested changes and their impact.

Workflows triggered via pull_request_target have write permission to the target repository. They also have access to target repository secrets. The same is true for workflows triggered on pull_request from a branch in the same repository, but not from external forks. The reasoning behind the latter is that it is safe to share the repository secrets if the user creating the PR has write permission to the target repository already. Refer: github security blog

I just want to automate workflow run when any PR is opened from external fork. But it seems pull_request_target is vulnerable to code injection or remote code execution. Let me know if we can do it some other way.

This issue has been automatically marked as abandoned because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

siriak commented

It's related to #596, let's see if it helps

This issue has been automatically marked as abandoned because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

siriak commented

Let's wait for #596

This issue has been automatically marked as abandoned because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.