I have been reading about GitHub Actions security and came across some concerns regarding the use of pull_request_target in the recommended documentation-links.yml from the README. I am not an expert, which is actually the point of this request. In particular, the use of pull_request_target in the suggested workflow triggers the security tool zizmor to flag the usage as follows:
error[dangerous-triggers]: use of fundamentally insecure workflow trigger
|
2 | / on:
3 | | pull_request_target:
4 | | types:
5 | | - opened
| |______________^ pull_request_target is almost always used insecurely
I'm trying to understand the implications and whether or not this usage is actually unsafe. From what I understand, it may be safe in the context of this RTD action because no code from the forked repo is ever checked out or executed.
It would be really helpful to save others similar research if someone could explicitly address the security implications in the README. If my understanding is incorrect, I would appreciate any guidance or corrections. Thank you for your time and for maintaining this project!
I have been reading about GitHub Actions security and came across some concerns regarding the use of
pull_request_targetin the recommendeddocumentation-links.ymlfrom the README. I am not an expert, which is actually the point of this request. In particular, the use ofpull_request_targetin the suggested workflow triggers the security tool zizmor to flag the usage as follows:I'm trying to understand the implications and whether or not this usage is actually unsafe. From what I understand, it may be safe in the context of this RTD action because no code from the forked repo is ever checked out or executed.
It would be really helpful to save others similar research if someone could explicitly address the security implications in the README. If my understanding is incorrect, I would appreciate any guidance or corrections. Thank you for your time and for maintaining this project!