mirror of
https://github.com/actions/checkout.git
synced 2026-07-03 19:32:50 +08:00
Compare commits
4 Commits
c2edb9a740
...
921dc8dd24
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
921dc8dd24 | ||
|
|
baaeba4a5e | ||
|
|
cb140b4908 | ||
|
|
678aa28ba1 |
@ -162,8 +162,11 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
||||
github-server-url: ''
|
||||
|
||||
# Required to check out fork pull request code from a workflow triggered by
|
||||
# `pull_request_target` or `workflow_run`. See [Pwn Requests](todo:need-link) for
|
||||
# the risks. Set to `true` only after reviewing the risks.
|
||||
# `pull_request_target` or `workflow_run`. These workflows run with the base
|
||||
# repository's GITHUB_TOKEN, secrets, default-branch cache scope, and runner
|
||||
# access; fetching and executing a fork's code in that trusted context commonly
|
||||
# leads to "pwn request" vulnerabilities. Set to `true` only after reviewing the
|
||||
# risks at https://gh.io/securely-using-pull_request_target.
|
||||
# Default: false
|
||||
allow-unsafe-pr-checkout: ''
|
||||
```
|
||||
|
||||
@ -101,8 +101,11 @@ inputs:
|
||||
allow-unsafe-pr-checkout:
|
||||
description: >
|
||||
Required to check out fork pull request code from a workflow triggered by
|
||||
`pull_request_target` or `workflow_run`. See [Pwn Requests](todo:need-link)
|
||||
for the risks. Set to `true` only after reviewing the risks.
|
||||
`pull_request_target` or `workflow_run`. These workflows run with the
|
||||
base repository's GITHUB_TOKEN, secrets, default-branch cache scope, and
|
||||
runner access; fetching and executing a fork's code in that trusted
|
||||
context commonly leads to "pwn request" vulnerabilities. Set to `true`
|
||||
only after reviewing the risks at https://gh.io/securely-using-pull_request_target.
|
||||
default: false
|
||||
outputs:
|
||||
ref:
|
||||
|
||||
5
dist/index.js
vendored
5
dist/index.js
vendored
@ -2832,8 +2832,9 @@ function assertSafePrCheckout(input) {
|
||||
}
|
||||
throw new Error(`Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
|
||||
`This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
|
||||
`cache scope, and runner access. Fetching fork's code in that trusted context is a ` +
|
||||
`"pwn request" supply-chain attack pattern. To opt in after reviewing the risk, set ` +
|
||||
`cache scope, and runner access. Fetching and executing a fork's code in that trusted ` +
|
||||
`context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` +
|
||||
`the risks at https://gh.io/securely-using-pull_request_target, set ` +
|
||||
`'allow-unsafe-pr-checkout: true' on the actions/checkout step.`);
|
||||
}
|
||||
function pushIfSha(target, value) {
|
||||
|
||||
@ -74,8 +74,9 @@ export function assertSafePrCheckout(input: IUnsafePrCheckoutInput): void {
|
||||
throw new Error(
|
||||
`Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
|
||||
`This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
|
||||
`cache scope, and runner access. Fetching fork's code in that trusted context is a ` +
|
||||
`"pwn request" supply-chain attack pattern. To opt in after reviewing the risk, set ` +
|
||||
`cache scope, and runner access. Fetching and executing a fork's code in that trusted ` +
|
||||
`context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` +
|
||||
`the risks at https://gh.io/securely-using-pull_request_target, set ` +
|
||||
`'allow-unsafe-pr-checkout: true' on the actions/checkout step.`
|
||||
)
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user