Skip to content

Commit 12dec83

Browse files
Copilotairtonix
andauthored
fix: remove pull_request_target security vulnerability (#22)
The PR workflow used `pull_request_target` with explicit checkout of untrusted PR code (`ref: ${{ github.event.pull_request.head.sha }}`), allowing malicious PRs to execute arbitrary code with write permissions. ## Changes - Changed workflow trigger from `pull_request_target` to `pull_request` - Removed explicit `ref` parameter from checkout action - Retained `pull-requests: write` permission for semantic PR action The workflow now executes PR code in a restricted context without elevated privileges while maintaining full functionality. <!-- START COPILOT CODING AGENT TIPS --> --- 💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more [Copilot coding agent tips](https://gh.io/copilot-coding-agent-tips) in the docs. --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: airtonix <61225+airtonix@users.noreply.github.com> Co-authored-by: Zeno Jiricek <airtonix@users.noreply.github.com>
1 parent 9efd90a commit 12dec83

File tree

1 file changed

+4
-4
lines changed

1 file changed

+4
-4
lines changed

.github/workflows/pr.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
name: PR Checks
22

33
on:
4-
pull_request_target:
4+
pull_request:
55
types:
66
- opened
77
- synchronize
@@ -25,7 +25,6 @@ jobs:
2525
- uses: actions/checkout@v4
2626
with:
2727
fetch-depth: 0
28-
ref: ${{ github.event.pull_request.head.sha }}
2928

3029

3130
# if the pull request target is default branch, then use normal rules
@@ -45,7 +44,8 @@ jobs:
4544
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
4645
if: startsWith(github.base_ref, 'release/')
4746
with:
48-
types: [fix]
47+
types: |
48+
fix
4949
ignoreLabels: |
5050
autorelease-pending
5151
bot
@@ -78,4 +78,4 @@ jobs:
7878
VAULT_PATH="$(mktemp -d)"
7979
mkdir -p "${VAULT_PATH}/.obsidian/plugins"
8080
env VAULT_PATH="$VAULT_PATH" \
81-
mise run check
81+
mise run check

0 commit comments

Comments
 (0)