📖 Docs: clarify meaning of Dangerous Workflow #3484
Conversation
docs/checks/internal/checks.yaml
Outdated
| @@ -738,14 +738,15 @@ checks: | |||
| logging github context and secrets, or use of potentially untrusted inputs in scripts. | |||
| The following patterns are checked: | |||
|
|
|||
| Untrusted Code Checkout: This is the misuse of potentially dangerous triggers. | |||
| This checks if a `pull_request_target` or `workflow_run` workflow trigger was used in conjunction | |||
| Untrusted Code Checkout: This is the misuse of potentially dangerous triggers. | |||
There was a problem hiding this comment.
probably should remove trailing whitespace, it'll make the diff less noisy too
lucasgonze
force-pushed
the
fix-2831-ux
branch
from
53ee85a
to
db7b137
Compare
lucasgonze
changed the title
docs/checks/internal/checks.yaml
Outdated
| @@ -746,6 +746,7 @@ checks: | |||
| example, by using build scripts controlled by the author of the PR or reading | |||
| token in memory. This check does not detect whether untrusted code checkouts are | |||
| used safely, for example, only on pull request that have been assigned a label. | |||
| See [Keeping your GitHub Actions and workflows secure Part 1](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/). | |||
There was a problem hiding this comment.
we already link to this a few lines below in the remediation section.
See this [post](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)
for information on avoiding untrusted code checkouts.
Is this a matter of visibility? having the link in one section vs another?
There was a problem hiding this comment.
Deleted duplicate link and re-pushed.
There was a problem hiding this comment.
The PR now appears to be a single tab.
Can the PR and issue be closed? Or is there still some unaddressed ambiguity? I'm all for fixing ambiguity in the docs if needed.
There was a problem hiding this comment.
We ended up using this pull request to complete the deferred conversation at #2831 (comment) . Let's close this.
lucasgonze
force-pushed
the
fix-2831-ux
branch
from
db7b137
to
108c78a
Compare
Changes documentation message per discussion in ticket Signed-off-by: Lucas Gonze <[email protected]>
lucasgonze
force-pushed
the
fix-2831-ux
branch
from
108c78a
to
1ce7493
Compare
|
We ended up using this pull request to complete the deferred conversation at #2831 (comment) . Let's close this. |
Changes documentation message per discussion in ticket #2831
What kind of change does this PR introduce?
Change type: docs update
Note: the only guideline there is including the 📖 icon
What is the current behavior?
See discussion in #2831
What is the new behavior (if this is a feature change)?**
N/A
Which issue(s) this PR fixes
Fixes #2831
Special notes for your reviewer
Does this PR introduce a user-facing change?
The change is an improvement to user-facing documentation to clarify meaning of "Dangerous Workflow".