Fix issue with workflow on forks #99
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This allows the add-to-project workflow to work on forks.
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
emcfarlane
approved these changes
Nov 15, 2023
akshayjshah
reviewed
Nov 15, 2023
| @@ -6,7 +6,7 @@ on: | |||
| - opened | |||
| - reopened | |||
| - transferred | |||
| pull_request: | |||
| pull_request_target: | |||
There was a problem hiding this comment.
I've heard a fair bit about secret exfiltration from repositories using this feature, but I don't know the details. Does allowing forks to access our secrets in this way potentially expose those secrets to code in the fork? Are the tokens here allowed to do anything sensitive?
There was a problem hiding this comment.
I discussed it with @rubensf who confirmed those issues don't apply in this case, and this is safe to do.
There was a problem hiding this comment.
See also the TL;DR from here:
Combining
pull_request_targetworkflow trigger with an explicit checkout of an untrusted PR is a dangerous practice that may lead to repository compromise.
We aren't doing any checkout here, and are using pull_request_target for its intended purpose: to process PRs safely. Also from that page:
pull_request_targetruns in the context of the target repository of the PR, rather than in the merge commit. This means the standard checkout action uses the target repository to prevent accidental usage of the user supplied code.
This automation doesn't create issues, it just adds them to the project, and an issue cannot be added twice. See this test issue if you want to try it out yourself. |
nicksnyder
approved these changes
Nov 15, 2023
chrispine
added a commit
to connectrpc/examples-go
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
chrispine
added a commit
to connectrpc/connect-kotlin
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
chrispine
added a commit
to connectrpc/connect-swift
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
chrispine
added a commit
to connectrpc/connect-go
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
chrispine
added a commit
to connectrpc/conformance
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
chrispine
added a commit
to connectrpc/grpcreflect-go
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
chrispine
added a commit
to connectrpc/vanguard-go
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
chrispine
added a commit
to connectrpc/examples-es
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
chrispine
added a commit
to connectrpc/otelconnect-go
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
chrispine
added a commit
to connectrpc/validate-go
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
chrispine
added a commit
to connectrpc/connect-es
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
chrispine
added a commit
to connectrpc/connect-query-es
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
chrispine
added a commit
to connectrpc/grpchealth-go
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
chrispine
added a commit
to connectrpc/connect-playwright-es
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
chrispine
added a commit
to connectrpc/envoy-demo
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
This was referenced Nov 16, 2023
This was referenced Nov 16, 2023
chrispine
added a commit
to connectrpc/examples-go
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
chrispine
added a commit
to connectrpc/connect-kotlin
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
chrispine
added a commit
to connectrpc/connect-swift
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
chrispine
added a commit
to connectrpc/connect-go
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
chrispine
added a commit
to connectrpc/conformance
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
chrispine
added a commit
to connectrpc/grpcreflect-go
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
chrispine
added a commit
to connectrpc/vanguard-go
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
chrispine
added a commit
to connectrpc/examples-es
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
chrispine
added a commit
to connectrpc/otelconnect-go
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
chrispine
added a commit
to connectrpc/validate-go
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
chrispine
added a commit
to connectrpc/connect-es
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
chrispine
added a commit
to connectrpc/connect-query-es
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
chrispine
added a commit
to connectrpc/grpchealth-go
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
chrispine
added a commit
to connectrpc/connect-playwright-es
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
chrispine
added a commit
to connectrpc/envoy-demo
that referenced
this pull request
Nov 16, 2023
See connectrpc/connectrpc.com#99 for more context
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This allows the add-to-project workflow to work on forks.