Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TG Notification is Not Working for PRs From Forked Repositories #13

Open
p0n1 opened this issue Dec 16, 2024 · 0 comments
Open

TG Notification is Not Working for PRs From Forked Repositories #13

p0n1 opened this issue Dec 16, 2024 · 0 comments

Comments

@p0n1
Copy link
Contributor

p0n1 commented Dec 16, 2024

Error msg: missing telegram token or user list

Reason:

Due to the dangers inherent to automatic processing of PRs, GitHub’s standard pull_request workflow trigger by default prevents write permissions and secrets access to the target repository. However, in some scenarios such access is needed to properly process the PR. To this end the pull_request_target workflow trigger was introduced.

See https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/

Potential solution: Using pull_request_target Event

pull_request:
types: [opened, closed, reopened]

Risk: If the workflow executes code from the PR branch, it can potentially expose secrets. Malicious actors could craft PRs that deliberately exploit this to leak secrets.

Mitigation: Carefully design the workflow to avoid executing untrusted code or exposing secrets.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant