From 984dff31732419d0748d90a87c2d7980aa2fe541 Mon Sep 17 00:00:00 2001 From: Ahmad Khalifa Date: Sat, 25 Jan 2025 18:59:19 +0200 Subject: [PATCH] github: Fix checklist action Workflows triggered by the 'pull_request' event can't have write permissions. With write permissions a malicious pull request can alter or create a workflow that either leaks the GITHUB_TOKEN with the write permissions or do malicious things in the workflow itself. The 'pull_request_target' event on the other hand allows workflows to run with write permissions but runs on the merge base of the PR, this way a pull request that alters such a workflow will not have it's code run until it's merged. Signed-off-by: Ahmad Khalifa --- .github/workflows/checklist.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/checklist.yml b/.github/workflows/checklist.yml index 9734af4a1a1da0..f5c3ea599abf61 100644 --- a/.github/workflows/checklist.yml +++ b/.github/workflows/checklist.yml @@ -4,7 +4,7 @@ name: Checklist # for the submission to align with CONTRIBUTING.md on: - pull_request: + pull_request_target: types: [ opened, reopened, edited, synchronize ] permissions: