rusackas commented on PR #40533: URL: https://github.com/apache/superset/pull/40533#issuecomment-4581468188
**Why these changes were made** Both `superset-docs-deploy.yml` and `superset-docs-verify.yml` use the `workflow_run` trigger, which fires in the context of the *target repository* (with its secrets) rather than in the context of the triggering PR. This is intentional by design — it's what allows downstream workflows to access deployment credentials that fork PRs can't touch. But it creates a trap: if the downstream workflow checks out and executes code identified by `github.event.workflow_run.head_sha`, and that sha belongs to a fork PR, the code running with elevated privileges is attacker-controlled. The `branches: [master]` filter on the `workflow_run` trigger is not a reliable guard here. For `workflow_run`, GitHub evaluates that filter against the *head branch of the triggering run*, not its base. A fork can name its branch `master` and satisfy the filter. The fix is a single condition added to each affected job's `if:` block: ``` github.event.workflow_run.head_repository.full_name == github.repository ``` This ensures the job only runs when the triggering workflow originated from `apache/superset` itself — not a fork. `push` and `workflow_dispatch` triggers bypass this check entirely and are unaffected. The third commit adds `zizmor` as a pre-commit hook to catch this pattern locally going forward. CI coverage was already added in #40510. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
