git: 8528d7e4f642 - main - github: Fix checklist action
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 28 Apr 2025 21:36:37 UTC
The branch main has been updated by imp:
URL: https://cgit.FreeBSD.org/src/commit/?id=8528d7e4f64206ab6288182aa65c0c159a746828
commit 8528d7e4f64206ab6288182aa65c0c159a746828
Author: Ahmad Khalifa <ahmadkhalifa570@gmail.com>
AuthorDate: 2025-01-25 16:59:19 +0000
Commit: Warner Losh <imp@FreeBSD.org>
CommitDate: 2025-04-28 21:27:29 +0000
github: Fix checklist action
Workflows triggered by the 'pull_request' event can't have write
permissions. With write permissions a malicious pull request can alter
or create a workflow that either leaks the GITHUB_TOKEN with the write
permissions or do malicious things in the workflow itself.
The 'pull_request_target' event on the other hand allows workflows to
run with write permissions but runs on the merge base of the PR, this
way a pull request that alters such a workflow will not have it's code
run until it's merged.
Signed-off-by: Ahmad Khalifa <ahmadkhalifa570@gmail.com>
Reviewed by: imp, emaste
Pull Request: https://github.com/freebsd/freebsd-src/pull/1581
---
.github/workflows/checklist.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/checklist.yml b/.github/workflows/checklist.yml
index 9734af4a1a1d..f5c3ea599abf 100644
--- a/.github/workflows/checklist.yml
+++ b/.github/workflows/checklist.yml
@@ -4,7 +4,7 @@ name: Checklist
# for the submission to align with CONTRIBUTING.md
on:
- pull_request:
+ pull_request_target:
types: [ opened, reopened, edited, synchronize ]
permissions: