Why use on: pull-request + workflow_run and not on: pull-request-target with two properly-privileged jobs?

[pnacht]

Select Topic Area

Question

Body

Question: the classic GH Security Lab blogpost about pwn requests presents two solutions when you need secrets and/or permissions to interact with a pull-request:

1. requiring a label before running the job
2. using an on: pull-request workflow followed by an on: workflow-run workflow, so all the untrusted logic happens on: PR and on: workflow-run does the stuff that needs permissions/secrets.

Would it actually be possible to "simplify" option (2) into a single on: pull-request-target with multiple jobs? One job with no permissions or credentials handles all the untrusted logic, and another with the permissions/creds to do stuff with the outputs.

For example (I wrote this off the top of my head, the syntax might be a bit off!):

on: pull-request-target

permissions:
  contents: read

jobs:
  untrusted:
    outputs:
      test-results: steps.outputs.results
    steps:
      - uses: actions/checkout
        with: (check out PR head)
      - run: ./test.sh  # attacker controlled, but no permissions or credentials!
      - id: results
        run: |
          echo "results=$TEST_RESULTS >> $GITHUB_ENV"

  safe:
    needs: [untrusted]
    permissions:
      pull-requests: write
      issues: write
    steps:
      - uses: foo/add-comment-to-PR
         with:
           pr-number: github.pr.number
           comment: needs.untrusted.results

To my eye, this seems basically equivalent to the on: PR + workflow_run suggestion: we have one job that runs with zero permissions or credentials/secrets (as if it were on: PR). It then generates data that's useful for the other.

Sure, a malicious PR could modify the bash script to generate a false comment, but that's also the case with the on: PR + workflow_run solution. This at least ensures the permissions/creds are only used as we want, without allowing a malicious PR to use those permissions to modify a PR, etc.

Basically, what's the difference between the suggested on: PR + workflow_run workflows and on: PR-target with two properly-privileged jobs (other than the safety of knowing you'll never accidentally add a secret or permission to the untrusted job)?

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬