File tree 1 file changed +17
-3
lines changed
1 file changed +17
-3
lines changed Original file line number Diff line number Diff line change 88permissions :
99 id-token : write
1010 contents : read
11- pull-requests : read
11+ pull-requests : write
1212
1313concurrency :
1414 group : ${{ github.workflow }}-${{ github.head_ref }}
@@ -20,11 +20,25 @@ jobs:
2020 runs-on : ubuntu-latest
2121 if : github.event.pull_request.merged != true && github.event.action != 'closed'
2222 steps :
23- - name : Checkout actions
23+ # NOTE: We're checking out both repos to avoid a security vulnerability
24+ # Any code that runs in this workflow should be using the checked out base repo to avoid
25+ # running code from a potentially malicious PR
26+ # https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
27+ # https://nathandavison.com/blog/github-actions-and-the-threat-of-malicious-pull-requests
28+ - name : Checkout base repo
2429 uses : actions/checkout@v4
2530 with :
31+ path : base
2632 fetch-depth : 0
33+ - name : Checkout head repo
34+ uses : actions/checkout@v4
35+ with :
36+ repository : ${{ github.event.pull_request.head.repo.full_name }}
37+ ref : ${{ github.event.pull_request.head.ref }}
38+ token : ${{ secrets.GITHUB_TOKEN }}
39+ fetch-depth : 0
40+ path : head-repo
2741
2842 - name : Run unsafe code review script
29- run : pip3 install -r .github/scripts/add_unsafe_reviewers/requirements.txt && python3 .github/scripts/add_unsafe_reviewers/add-unsafe-reviewers.py . "origin/${{ github.base_ref }}" --token "${{ secrets.ONEBLUE_GH_PAT }}" --pull-request "${{ github.event.number }}"
43+ run : pip3 install -r ./base/. github/scripts/add_unsafe_reviewers/requirements.txt && python3 ./base/. github/scripts/add_unsafe_reviewers/add-unsafe-reviewers.py ./head-repo "origin/${{ github.base_ref }}" --token "${{ secrets.GITHUB_TOKEN }}" --pull-request "${{ github.event.number }}"
3044 shell : bash
You can’t perform that action at this time.
0 commit comments