Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the Validate GitHub Actions workflow to reduce CI security risk when running on pull_request_target, and to ensure linting runs against the PR’s checked-out content rather than the base repository checkout.
Changes:
- Restricts workflow
GITHUB_TOKENpermissions tocontents: read. - Checks out the PR head repository into a separate
./headdirectory (instead of the workspace root). - Updates the Biome lint step to target
./head.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - uses: actions/checkout@v4 | ||
| with: | ||
| repository: ${{ github.event.pull_request.head.repo.full_name }} | ||
| ref: ${{ github.event.pull_request.head.ref }} | ||
| path: ./head |
There was a problem hiding this comment.
When checking out the PR head in a pull_request_target workflow, use the immutable github.event.pull_request.head.sha instead of head.ref to avoid TOCTOU issues (the branch can move between trigger and checkout). Also set persist-credentials: false on this checkout so the GITHUB_TOKEN isn’t written into ./head/.git/config, which reduces the risk of later steps inadvertently leaking it.
|
|
||
| - name: Lint Check | ||
| run: pnpx @biomejs/biome@2.0.0 ci | ||
| run: pnpx @biomejs/biome@2.0.0 ci ./head |
There was a problem hiding this comment.
biome ci ./head will still auto-discover config starting from the current working directory, so it will use the base repo’s biome.json even if the PR modifies ./head/biome.json. If you want config changes in the PR to be validated as part of this check (without changing CWD), pass Biome a config path (e.g., --config-path ./head or --config-path ./head/biome.json).
| run: pnpx @biomejs/biome@2.0.0 ci ./head | |
| run: pnpx @biomejs/biome@2.0.0 ci ./head --config-path ./head |
|
@okjintao an out-of-scope bug bounty submission flagged this. There's moderate security risk here and this PR should patch the issue. |
No description provided.