Default Greeting workflow suddenly resulting in an error #25706
-
My repo uses Greetings workflow by My workflow is:
The error it shows: |
Beta Was this translation helpful? Give feedback.
Replies: 5 comments
-
The In your case the
Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requestsIn this article, we’ll discuss some common security malpractices for GitHub Actions and workflows, and how to best avoid them. Our examples are based on real-world GitHub workflow implementation vulnerabilities the GitHub Security Lab has reported to... |
Beta Was this translation helpful? Give feedback.
-
I did not get really what you said it went over my head. Please tell me what modifications I have to do in my workflow to make it work |
Beta Was this translation helpful? Give feedback.
-
Mine is a public repo, one of my contributors have raised a PR from their fork and I’m trying to merge it this greetings work flow doesn’t work thats it |
Beta Was this translation helpful? Give feedback.
-
I’ll try to simplify it a bit: Each workflow run automatically gets a thing called a When a There is another event called |
Beta Was this translation helpful? Give feedback.
-
Thanks for the clarification 😊 |
Beta Was this translation helpful? Give feedback.
I’ll try to simplify it a bit:
Each workflow run automatically gets a thing called a
GITHUB_TOKEN
. That token is used for authentication, for example when your workflow creates a comment. When the workflow runs because of an issue or PR inside your repository, the token is allowed to make changes.When a
pull_request
happens because of a PR from a fork, the token has read-only permissions. It can’t be used to make changes, so you can’t use it to write a comment. This is for security: With thepull_request
event the workflow file is taken from the PR. Anyone can make a PR, and someone could edit the workflow file in the PR to do something bad.There is another event called
pull_request_target