Compare commits

..

No commits in common. "921dc8dd2451069dc30c6c7363f96784f772eed5" and "c2edb9a7407067e94b7af06b290da20c8e50a2fd" have entirely different histories.

4 changed files with 8 additions and 16 deletions

View File

@ -162,11 +162,8 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
github-server-url: '' github-server-url: ''
# Required to check out fork pull request code from a workflow triggered by # Required to check out fork pull request code from a workflow triggered by
# `pull_request_target` or `workflow_run`. These workflows run with the base # `pull_request_target` or `workflow_run`. See [Pwn Requests](todo:need-link) for
# repository's GITHUB_TOKEN, secrets, default-branch cache scope, and runner # the risks. Set to `true` only after reviewing the risks.
# access; fetching and executing a fork's code in that trusted context commonly
# leads to "pwn request" vulnerabilities. Set to `true` only after reviewing the
# risks at https://gh.io/securely-using-pull_request_target.
# Default: false # Default: false
allow-unsafe-pr-checkout: '' allow-unsafe-pr-checkout: ''
``` ```

View File

@ -101,11 +101,8 @@ inputs:
allow-unsafe-pr-checkout: allow-unsafe-pr-checkout:
description: > description: >
Required to check out fork pull request code from a workflow triggered by Required to check out fork pull request code from a workflow triggered by
`pull_request_target` or `workflow_run`. These workflows run with the `pull_request_target` or `workflow_run`. See [Pwn Requests](todo:need-link)
base repository's GITHUB_TOKEN, secrets, default-branch cache scope, and for the risks. Set to `true` only after reviewing the risks.
runner access; fetching and executing a fork's code in that trusted
context commonly leads to "pwn request" vulnerabilities. Set to `true`
only after reviewing the risks at https://gh.io/securely-using-pull_request_target.
default: false default: false
outputs: outputs:
ref: ref:

5
dist/index.js vendored
View File

@ -2832,9 +2832,8 @@ function assertSafePrCheckout(input) {
} }
throw new Error(`Refusing to check out fork pull request code from a '${eventName}' workflow. ` + throw new Error(`Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
`This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` + `This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
`cache scope, and runner access. Fetching and executing a fork's code in that trusted ` + `cache scope, and runner access. Fetching fork's code in that trusted context is a ` +
`context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` + `"pwn request" supply-chain attack pattern. To opt in after reviewing the risk, set ` +
`the risks at https://gh.io/securely-using-pull_request_target, set ` +
`'allow-unsafe-pr-checkout: true' on the actions/checkout step.`); `'allow-unsafe-pr-checkout: true' on the actions/checkout step.`);
} }
function pushIfSha(target, value) { function pushIfSha(target, value) {

View File

@ -74,9 +74,8 @@ export function assertSafePrCheckout(input: IUnsafePrCheckoutInput): void {
throw new Error( throw new Error(
`Refusing to check out fork pull request code from a '${eventName}' workflow. ` + `Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
`This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` + `This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
`cache scope, and runner access. Fetching and executing a fork's code in that trusted ` + `cache scope, and runner access. Fetching fork's code in that trusted context is a ` +
`context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` + `"pwn request" supply-chain attack pattern. To opt in after reviewing the risk, set ` +
`the risks at https://gh.io/securely-using-pull_request_target, set ` +
`'allow-unsafe-pr-checkout: true' on the actions/checkout step.` `'allow-unsafe-pr-checkout: true' on the actions/checkout step.`
) )
} }