Skip to content

Commit 2818fe7

Browse files
committed
Add Alert about pull_request_target
#211 (comment)
1 parent 8d90676 commit 2818fe7

File tree

1 file changed

+9
-1
lines changed

1 file changed

+9
-1
lines changed

README.md

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -296,7 +296,15 @@ However, there are a couple of ways to use this Actions in Workflows that should
296296

297297
### Workflow should run in **base** repository
298298

299-
The workflow below runs whenever a commit is pushed to the `main`-branch or when activity on a pull request happens, by listening to the [`pull_request_target`](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target) event.
299+
> [!CAUTION]
300+
> The following section explains how you can use git-auto-commit in combination with the `pull_request_target` trigger.
301+
> **Using `pull_request_target` in your workflows can lead to repository compromise as [mentioned](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) by GitHub's own security team. This means, that a bad actor could potentially leak/steal your GitHub Actions repository secrets.**
302+
> Please be aware of this risk when using `pull_request_target` in your workflows.
303+
>
304+
> If your workflow runs code-fixing tools, consider running the workflow on your default branch by listening to the `push` event or use a third-party tool like [autofix.ci](https://autofix.ci/).
305+
> We keep this documentation around, as many questions came in over the years, on how to use this action for public forks.
306+
307+
The workflow below runs whenever a commit is pushed to the `main`-branch or when activity on a pull request happens, by listening to the [`pull_request_target`](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target) event.
300308

301309
If the workflow is triggered by the `pull_request_target`-event, the workflow will run in the context of the base of the pull request, rather than in the context of the merge commit, as the `pull_request` event does.
302310
In other words, this will allow your workflow to be run in the repository where the pull request is opened to and will push changes back to the fork.

0 commit comments

Comments
 (0)