Authentication is needed to run workflows for PR
Raghav-Bell opened this issue · 7 comments
Every time a new PR is opened workflows don't run automatically, which slows down contribution process (not scalable too).
I suggest to use pull_request_target
instead of pull_request
in github actions. More restrictions can be added using types
. Check out references.
Rust/.github/workflows/build.yml
Line 3 in b4cf132
References:
Could you explain why pull_request_target
is better? Is it correct that it uses "workflow yaml instructions" from the master branch, but Rust code from the feature branch?
I'm open to consider changing this, but please explain clearly the requested changes and their impact.
Workflows triggered via pull_request_target have write permission to the target repository. They also have access to target repository secrets. The same is true for workflows triggered on pull_request from a branch in the same repository, but not from external forks. The reasoning behind the latter is that it is safe to share the repository secrets if the user creating the PR has write permission to the target repository already. Refer: github security blog
I just want to automate workflow run when any PR is opened from external fork. But it seems pull_request_target
is vulnerable to code injection or remote code execution. Let me know if we can do it some other way.
This issue has been automatically marked as abandoned because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
This issue has been automatically marked as abandoned because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
This issue has been automatically marked as abandoned because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.