Rust icon indicating copy to clipboard operation
Rust copied to clipboard

Published 20 hours ago verified publisher icon TheAlgorithms

Authentication is needed to run workflows for PR

Open Raghav-Bell opened this issue 2 years ago • 6 comments

Every time a new PR is opened workflows don't run automatically, which slows down contribution process (not scalable too). I suggest to use pull_request_target instead of pull_request in github actions. More restrictions can be added using types. Check out references.

https://github.com/TheAlgorithms/Rust/blob/b4cf132df2e6730ab64c6b096624571c623cadec/.github/workflows/build.yml#L3 References:

  1. pull_request_target github docs
  2. What is the difference between pull_request and pull_request_target event in GitHubActions
  3. Approval workflows github docs

Raghav-Bell avatar Oct 06 '23 18:10 Raghav-Bell

Could you explain why pull_request_target is better? Is it correct that it uses "workflow yaml instructions" from the master branch, but Rust code from the feature branch? I'm open to consider changing this, but please explain clearly the requested changes and their impact.

siriak avatar Oct 06 '23 21:10 siriak

Workflows triggered via pull_request_target have write permission to the target repository. They also have access to target repository secrets. The same is true for workflows triggered on pull_request from a branch in the same repository, but not from external forks. The reasoning behind the latter is that it is safe to share the repository secrets if the user creating the PR has write permission to the target repository already. Refer: github security blog

I just want to automate workflow run when any PR is opened from external fork. But it seems pull_request_target is vulnerable to code injection or remote code execution. Let me know if we can do it some other way.

Raghav-Bell avatar Oct 07 '23 04:10 Raghav-Bell

This issue has been automatically marked as abandoned because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Nov 07 '23 00:11 github-actions[bot]

It's related to #596, let's see if it helps

siriak avatar Nov 07 '23 19:11 siriak

This issue has been automatically marked as abandoned because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Dec 08 '23 00:12 github-actions[bot]

Let's wait for #596

siriak avatar Dec 08 '23 12:12 siriak

This issue has been automatically marked as abandoned because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Jan 08 '24 00:01 github-actions[bot]