You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Due to the dangers inherent to automatic processing of PRs, GitHub’s standard pull_request workflow trigger by default prevents write permissions and secrets access to the target repository. However, in some scenarios such access is needed to properly process the PR. To this end the pull_request_target workflow trigger was introduced.
Risk: If the workflow executes code from the PR branch, it can potentially expose secrets. Malicious actors could craft PRs that deliberately exploit this to leak secrets.
Mitigation: Carefully design the workflow to avoid executing untrusted code or exposing secrets.
The text was updated successfully, but these errors were encountered:
Error msg:
missing telegram token or user list
Reason:
See https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
Potential solution: Using
pull_request_target
Eventmle-pcs/.github/workflows/notify.yml
Lines 6 to 7 in 8232016
Risk: If the workflow executes code from the PR branch, it can potentially expose secrets. Malicious actors could craft PRs that deliberately exploit this to leak secrets.
Mitigation: Carefully design the workflow to avoid executing untrusted code or exposing secrets.
The text was updated successfully, but these errors were encountered: