marcel/mermaid
1
0
Fork 0
mirror of https://github.com/mermaid-js/mermaid.git synced 2025-08-15 06:19:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

docs(ci/pr-labeler): warn about security issues

Browse Source 
Using `pull_request_target` is pretty dangerous, since it heavily
increases the risk of malicious PRs getting access to the mermaid-js
repo.

What we're doing currently is safe, but we should add a warning
message just to ensure that we're very careful when we make changes.

See: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
This commit is contained in:
Alois Klink
2023-09-24 18:10:10 +01:00
parent 5f740312fe
commit dc22189eef
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
.github/workflows/pr-labeler.yml vendored
View File

@@ -1,6 +1,14 @@
name: Apply labels to PR
on:
pull_request_target:
# required for pr-labeler to support PRs from forks
# ===================== ⛔ ☢️ 🚫 ⚠️ Warning ⚠️ 🚫 ☢️ ⛔ =======================
# Be very careful what you put in this GitHub Action workflow file to avoid
# malicious PRs from getting access to the Mermaid-js repo.
#
# Please read the following first before reviewing/merging:
# - https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
# - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
types: [opened]
permissions: