From dd97b442923823e8cb85bb3046c7614bb4e43a7d Mon Sep 17 00:00:00 2001 From: Philip Salzmann Date: Thu, 1 Aug 2024 17:23:49 +0200 Subject: [PATCH 1/3] Only run CTS issue workflow when opening PRs Turns out the `pull_request` trigger by default also runs when PRs are updated or re-opened. Change to only run on the `opened` activity. --- .github/workflows/open_cts_issue.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/open_cts_issue.yml b/.github/workflows/open_cts_issue.yml index cc8abc9f..577888d3 100644 --- a/.github/workflows/open_cts_issue.yml +++ b/.github/workflows/open_cts_issue.yml @@ -1,5 +1,7 @@ name: Open CTS issue for spec changes -on: pull_request +on: + pull_request: + types: opened jobs: create-issue: runs-on: ubuntu-latest From e7a47f2b45ec35fc16364bf05e2f1a90b9f5c892 Mon Sep 17 00:00:00 2001 From: Philip Salzmann Date: Fri, 2 Aug 2024 10:34:04 +0200 Subject: [PATCH 2/3] Run CTS issue workflow on pull_request_target trigger This allows the workflow to access repository secrets even if the triggering PR originates from a fork. This has some security implications, see the comment within the workflow. --- .github/workflows/open_cts_issue.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/open_cts_issue.yml b/.github/workflows/open_cts_issue.yml index 577888d3..074fd524 100644 --- a/.github/workflows/open_cts_issue.yml +++ b/.github/workflows/open_cts_issue.yml @@ -1,6 +1,12 @@ name: Open CTS issue for spec changes on: - pull_request: + # We use the pull_request_target trigger to always run the workflow in the context of the base branch, + # since this allows us to access repository secrets even if the PR originates from a fork. + # + # Importantly, the workflow must not checkout any code from the PR branch, as this could allow an attacker + # to gain write access to the repository. + # See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for more information. + pull_request_target: types: opened jobs: create-issue: From 3a244dc5dd5863cc317595bb6726446df9ddc3d3 Mon Sep 17 00:00:00 2001 From: Philip Salzmann Date: Fri, 2 Aug 2024 10:35:15 +0200 Subject: [PATCH 3/3] Only run CTS issue workflow for changes in `adoc` directory --- .github/workflows/open_cts_issue.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/open_cts_issue.yml b/.github/workflows/open_cts_issue.yml index 074fd524..37b142a1 100644 --- a/.github/workflows/open_cts_issue.yml +++ b/.github/workflows/open_cts_issue.yml @@ -8,6 +8,8 @@ on: # See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for more information. pull_request_target: types: opened + paths: + - 'adoc/**' jobs: create-issue: runs-on: ubuntu-latest