Skip to content

GitHub Action risky workflow_run usgae

Checks for GitHub Action using the workflow_run event that downloads code from another workflow. A workflow using the workflow_run event can have more permissions and secrets than the workflow that triggered it. Caution should be taken when manipulating untrusted artifacts to avoid compromising the workflow execution.

Examples

Insecure Example

name: Test PR

permissions:
  contents: read

on:
  pull_request_target

jobs:
  build:
    name: Test PR
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        with:
          ref: ${{ github.event.pull_request.head.sha }}

      - run: |
          npm test

on:
  workflow_run:
    workflows: ['Test PR']

jobs:
  release:
    name: Release PR
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        with:
          ref: ${{ github.event.workflow_run.head_sha }}

      - name:
        env:
          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
        run: |
          npm run release

Secure Example

Avoid downloading code or artifacts from workflows running on untrusted code.

More information