From dc22189eef2cdcdf96e8caf26d4e020e74c47fe2 Mon Sep 17 00:00:00 2001 From: Alois Klink Date: Sun, 24 Sep 2023 18:10:10 +0100 Subject: [PATCH] docs(ci/pr-labeler): warn about security issues Using `pull_request_target` is pretty dangerous, since it heavily increases the risk of malicious PRs getting access to the mermaid-js repo. What we're doing currently is safe, but we should add a warning message just to ensure that we're very careful when we make changes. See: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ --- .github/workflows/pr-labeler.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml index d2df287e5..52228a227 100644 --- a/.github/workflows/pr-labeler.yml +++ b/.github/workflows/pr-labeler.yml @@ -1,6 +1,14 @@ name: Apply labels to PR on: pull_request_target: + # required for pr-labeler to support PRs from forks + # ===================== ⛔ ☢️ 🚫 ⚠️ Warning ⚠️ 🚫 ☢️ ⛔ ======================= + # Be very careful what you put in this GitHub Action workflow file to avoid + # malicious PRs from getting access to the Mermaid-js repo. + # + # Please read the following first before reviewing/merging: + # - https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target + # - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ types: [opened] permissions: