GitHub Action risky workflow_run usgae¶
Checks for GitHub Action using the workflow_run
event that downloads code from another workflow. A workflow using the workflow_run
event can have more permissions and secrets than the workflow that triggered it. Caution should be taken when manipulating untrusted artifacts to avoid compromising the workflow execution.
Examples¶
Insecure Example
name: Test PR
permissions:
contents: read
on:
pull_request_target
jobs:
build:
name: Test PR
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
ref: ${{ github.event.pull_request.head.sha }}
- run: |
npm test
on:
workflow_run:
workflows: ['Test PR']
jobs:
release:
name: Release PR
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
ref: ${{ github.event.workflow_run.head_sha }}
- name:
env:
RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
run: |
npm run release
Secure Example
Avoid downloading code or artifacts from workflows running on untrusted code.