Default Greeting workflow suddenly resulting in an error

[opticSquid]

My repo uses Greetings workflow by Github Actions which greets first time contributors to a repo with custom messages when they do a PR or raise an issue. The workflow was working fine for issues but when someone tried to create a PR from their fork to the main branch of the main repo the workflow shows error.

My workflow is:

name: Greetings
on: [pull_request, issues]
jobs:

greeting:

runs-on: ubuntu-latest

permissions:

issues: write

pull-requests: write

steps:

- uses: actions/first-interaction@v1

with:

repo-token: ${{ secrets.GITHUB_TOKEN }}

issue-message: 'Message that will be displayed on users first issue'

pr-message: 'Message that will be displayed on users first pull request'

The error it shows:

image1814×832 59.5 KB

[airtower-luna]

The GITHUB_TOKEN for pull_request events has read-only permissions. Otherwise people could write malicious workflows, create a PR for your repository, and let those workflows run with write access to your repository.

In your case the pull_request_target event might work, which runs a workflow defined on the target branch of a PR (so not modifiable by an attacker without the PR getting merged). Using it to post a comment should be safe, but when writing the workflow you need to make sure it doesn’t allow script injection or running code from the PR, see:

  <a href="https://securitylab.github.com/research/github-actions-preventing-pwn-requests/" target="_blank" rel="noopener" title="12:00AM - 15 December 2020">GitHub Security Lab – 15 Dec 20</a>

Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

In this article, we’ll discuss some common security malpractices for GitHub Actions and workflows, and how to best avoid them. Our examples are based on real-world GitHub workflow implementation vulnerabilities the GitHub Security Lab has reported to...

[opticSquid]

I did not get really what you said it went over my head. Please tell me what modifications I have to do in my workflow to make it work

[opticSquid]

Mine is a public repo, one of my contributors have raised a PR from their fork and I’m trying to merge it this greetings work flow doesn’t work thats it

[airtower-luna]

I’ll try to simplify it a bit:

Each workflow run automatically gets a thing called a GITHUB_TOKEN. That token is used for authentication, for example when your workflow creates a comment. When the workflow runs because of an issue or PR inside your repository, the token is allowed to make changes.

When a pull_request happens because of a PR from a fork, the token has read-only permissions. It can’t be used to make changes, so you can’t use it to write a comment. This is for security: With the pull_request event the workflow file is taken from the PR. Anyone can make a PR, and someone could edit the workflow file in the PR to do something bad.

There is another event called pull_request_target you can use to make workflows run when a PR is created. The workflow file for pull_request_target must already be in your repository, on the target branch of the PR. So a random PR author can’t change it. The token for those workflows can make changes. However, that also means you must be careful not to run any code from the PR. Otherwise it could abuse the token to do bad things again. The article above is about that problem.

[opticSquid]

Thanks for the clarification 😊