Skip to content

Modify vulnerable workflows#9489

Merged
kevinfiol merged 3 commits intomainfrom
kf/address_vulnerable_workflows
Mar 25, 2026
Merged

Modify vulnerable workflows#9489
kevinfiol merged 3 commits intomainfrom
kf/address_vulnerable_workflows

Conversation

@kevinfiol
Copy link
Copy Markdown
Collaborator

@kevinfiol kevinfiol commented Mar 25, 2026
edited
Loading

DEVOPS PULL REQUEST

Related Issue

See: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/

Combining pull_request_target workflow trigger with an explicit checkout of an untrusted PR is a dangerous practice that may lead to repository compromise.

Changes Proposed

  • Use pull_request workflow trigger, which by default prevents secrets access.

Additional Information

  • Left permissions: contents: write and permissions: issues: write to not break these workflows.

Testing

N/A

@kevinfiol kevinfiol changed the title use pull_request attr Modify vulnerable workflows Mar 25, 2026
@kevinfiol kevinfiol marked this pull request as ready for review March 25, 2026 20:39
@kevinfiol kevinfiol requested review from a team as code owners March 25, 2026 20:39
@kevinfiol kevinfiol requested review from DanielSass, DavidMcClatchey and mpbrown and removed request for a team March 25, 2026 20:39
@kevinfiol kevinfiol enabled auto-merge March 25, 2026 20:46
@kevinfiol kevinfiol disabled auto-merge March 25, 2026 21:01
@kevinfiol kevinfiol enabled auto-merge March 25, 2026 21:01
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Mar 25, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@kevinfiol kevinfiol added this pull request to the merge queue Mar 25, 2026
Merged via the queue into main with commit 0994431 Mar 25, 2026
35 of 37 checks passed
@kevinfiol kevinfiol deleted the kf/address_vulnerable_workflows branch March 25, 2026 23:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DanielSass DanielSass DanielSass approved these changes

@mpbrown mpbrown mpbrown approved these changes

@DavidMcClatchey DavidMcClatchey DavidMcClatchey approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kevinfiol @DanielSass @mpbrown @DavidMcClatchey