Replies: 1 comment
-
🕒 Discussion Activity Reminder 🕒 This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions: 1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as 2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own. 3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution. Note: This dormant notification will only apply to Discussions with the Thank you for helping bring this Discussion to a resolution! 💬 |
Beta Was this translation helpful? Give feedback.
-
Select Topic Area
Question
Body
Question: the classic GH Security Lab blogpost about pwn requests presents two solutions when you need secrets and/or permissions to interact with a pull-request:
on: pull-request
workflow followed by anon: workflow-run
workflow, so all the untrusted logic happenson: PR
andon: workflow-run
does the stuff that needs permissions/secrets.Would it actually be possible to "simplify" option (2) into a single
on: pull-request-target
with multiple jobs? One job with no permissions or credentials handles all the untrusted logic, and another with the permissions/creds to do stuff with the outputs.For example (I wrote this off the top of my head, the syntax might be a bit off!):
To my eye, this seems basically equivalent to the
on: PR + workflow_run
suggestion: we have one job that runs with zero permissions or credentials/secrets (as if it wereon: PR
). It then generates data that's useful for the other.Sure, a malicious PR could modify the bash script to generate a false comment, but that's also the case with the
on: PR + workflow_run
solution. This at least ensures the permissions/creds are only used as we want, without allowing a malicious PR to use those permissions to modify a PR, etc.Basically, what's the difference between the suggested
on: PR + workflow_run
workflows andon: PR-target
with two properly-privileged jobs (other than the safety of knowing you'll never accidentally add a secret or permission to the untrusted job)?Beta Was this translation helpful? Give feedback.
All reactions