Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests Jaroslav Lobacevski This post is the first in a series of posts about GitHub Actions security. Part 2, Part 3 In this article, we’ll discuss some common security malpractices for GitHub Actions and workflows, and how to best avoid them. Our examples are based on real-world GitHub workflow implementation vulnerabilitie

[sawa_zen]

“Since external users do not have the permission to assign labels, this effectively requires repository owners to manually review the changes first and is prone to human error. Note that there is an important “gotcha” to any remediation put in place for a vulnerable workflow. All PRs that wer

[Kesin]

pull_requestはfork先で書き換えられたyamlでジョブが動作するがsecretを読み出せないので安全。pull_request_targetはsecretを読み出せるがジョブのyamlはfork元が使用されるので悪意あるコードを実行できなくて安全。ということか

[efcl]

`pull_request_target`を使うと悪用されるケースがあることについて

[miya-jan]

GitHub Actions で fork からの信頼できない PR に対してワークフローを実行するときにセキュリティ上気をつけるべきことのまとめ