Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove pull_request trigger from add-to-project GitHub action #32

Closed
makubacki opened this issue Sep 16, 2022 · 0 comments · Fixed by #31
Closed

Remove pull_request trigger from add-to-project GitHub action #32

makubacki opened this issue Sep 16, 2022 · 0 comments · Fixed by #31
Assignees
@makubacki
Labels
complexity:easy Requires minimal background information and effort to accomplish impact:non-functional Does not have a functional impact

Comments

@makubacki
Copy link
Member

Since GitHub treats workflows triggered from forks (and Dependabot) as untrusted, they receive a read-only GITHUB_TOKEN and the PRs cannot access any secrets in the repository.

More information:
https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/

The trigger type could be changed to pull_request_target which would grant permission to the secrets but it has security implications as described here: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

In the end, we'll just remove the action for pull requests for now.
@makubacki makubacki added complexity:easy Requires minimal background information and effort to accomplish impact:non-functional Does not have a functional impact labels Sep 16, 2022
@makubacki makubacki self-assigned this Sep 16, 2022
@makubacki makubacki mentioned this issue Sep 16, 2022
Merged
makubacki added a commit that referenced this issue Sep 16, 2022
@makubacki
Remove pull_request trigger for add-to-project GitHub action (#31)
8b96e48 
## Description

Closes #32 

Since GitHub treats workflows triggered from forks (and Dependabot) as
untrusted, they receive a read-only GITHUB_TOKEN and the PRs cannot
access any secrets in the repository.

A secret token is required with project write access for the
add-to-project
action to automatically assign issues and PRs to a project.

More information:

https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/

The trigger type could be changed to `pull_request_target` which would
grant permission to the secret token:

https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target

But that has security implications as described here:

https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

In the end, we'll just remove the action for pull requests for now and
only have
issues automatically get assigned to the project upon creation.

## How This Was Tested

Verified actions/add-to-project no longer triggers on pull requests.

## Integration Instructions

N/A

Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@makubacki makubacki

Labels
complexity:easy Requires minimal background information and effort to accomplish impact:non-functional Does not have a functional impact
Projects
Project Mu UEFI Variables
Status: 🆕 New
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove pull_request trigger for add-to-project GitHub action makubacki/mu_feature_uefi_variable
1 participant
@makubacki