From d49ccb084e21efe1614dceb4e5cdc2dffd4f294d Mon Sep 17 00:00:00 2001 From: ylemkimon Date: Mon, 16 Nov 2020 00:11:40 +0900 Subject: [PATCH 1/2] Add warning regarding `pull_request_target` event --- content/actions/reference/events-that-trigger-workflows.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/content/actions/reference/events-that-trigger-workflows.md b/content/actions/reference/events-that-trigger-workflows.md index f4d23c9caecf..0bda7e937217 100644 --- a/content/actions/reference/events-that-trigger-workflows.md +++ b/content/actions/reference/events-that-trigger-workflows.md @@ -574,6 +574,12 @@ on: This event is similar to `pull_request`, except that it runs in the context of the base repository of the pull request, rather than in the merge commit. This means that you can more safely make your secrets available to the workflows triggered by the pull request, because only workflows defined in the commit on the base repository are run. For example, this event allows you to create workflows that label and comment on pull requests, based on the contents of the event payload. +{% warning %} + +**Warning**: When using the `pull_request_target` event, be mindful that it runs in the context of the base repository. As a result, the `GITHUB_TOKEN` has write access to the repository and the cache shares the same scope with the base branch. It is recommended to not run untrusted code in the same context as it may access sensitive information and manipulate the enviroment of the workflow. Furthermore, do not save cache if cache contents could have been altered to prevent cache posioning. + +{% endwarning %} + | Webhook event payload | Activity types | `GITHUB_SHA` | `GITHUB_REF` | | --------------------- | -------------- | ------------ | -------------| | [`pull_request`](/webhooks/event-payloads/#pull_request) | - `assigned`
- `unassigned`
- `labeled`
- `unlabeled`
- `opened`
- `edited`
- `closed`
- `reopened`
- `synchronize`
- `ready_for_review`
- `locked`
- `unlocked`
- `review_requested`
- `review_request_removed` | Last commit on the PR base branch | PR base branch | From a8cab926e1ede039bc918668a0f636d69aca69b7 Mon Sep 17 00:00:00 2001 From: ylemkimon Date: Fri, 4 Dec 2020 15:43:47 +0900 Subject: [PATCH 2/2] Update content/actions/reference/events-that-trigger-workflows.md Co-authored-by: Martin Lopes <54248166+martin389@users.noreply.github.com> --- content/actions/reference/events-that-trigger-workflows.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/actions/reference/events-that-trigger-workflows.md b/content/actions/reference/events-that-trigger-workflows.md index 3e54682f44a0..add49eb6ca31 100644 --- a/content/actions/reference/events-that-trigger-workflows.md +++ b/content/actions/reference/events-that-trigger-workflows.md @@ -580,7 +580,7 @@ This event is similar to `pull_request`, except that it runs in the context of t {% warning %} -**Warning**: When using the `pull_request_target` event, be mindful that it runs in the context of the base repository. As a result, the `GITHUB_TOKEN` has write access to the repository and the cache shares the same scope with the base branch. It is recommended to not run untrusted code in the same context as it may access sensitive information and manipulate the enviroment of the workflow. Furthermore, do not save cache if cache contents could have been altered to prevent cache posioning. +**Warning**: When using the `pull_request_target` event, be aware that it runs in the context of the base repository. This means that the `GITHUB_TOKEN` has write access to the repository, and the cache shares the same scope as the base branch. As a result, do not run untrusted code in the same context, as there is a risk that it may access sensitive information and unexpectedly manipulate the workflow environment. In addition, to help prevent cache poisoning, do not save the cache if there is a possibility that the cache contents were altered. {% endwarning %}