dpgaspar commented on code in PR #28280:
URL: https://github.com/apache/superset/pull/28280#discussion_r1587481695
##########
.github/workflows/superset-frontend.yml:
##########
@@ -5,7 +5,7 @@ on:
branches:
- "master"
- "[0-9].[0-9]"
- pull_request:
+ pull_request_target:
Review Comment:
as per docs:
```
Warning: For workflows that are triggered by the pull_request_target event,
the GITHUB_TOKEN is granted read/write repository permission unless the
permissions key is specified and the workflow can access secrets, even when it
is triggered from a fork. Although the workflow runs in the context of the base
of the pull request, you should make sure that you do not check out, build, or
run untrusted code from the pull request with this event. Additionally, any
caches share the same scope as the base branch. To help prevent cache
poisoning, you should not save the cache if there is a possibility that the
cache contents were altered. For more information, see "[Keeping your GitHub
Actions and workflows secure: Preventing pwn
requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests)"
on the GitHub Security Lab website.
```
secrets can leak to forks, this trigger runs github workflow code from the
base branch (master) but we are checking out code from the PR ref on these
workflows, that can open other vectors for attacks, for example by changing
code on `/scripts` that would get executed by the workflow.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
