Add CI security blog post and remove legacy pull_request_target workflow (#900)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: osterman

blog/2026-04-13-pr-preview-workflow-hardening.mdx

@@ -0,0 +1,51 @@
+---
+title: "Security Update: Hardening Pull Request Preview Workflows"
+slug: pr-preview-workflow-hardening
+description: "We removed a pull_request_target-based preview workflow from our documentation repository after a responsible disclosure highlighting the risk of executing code influenced by an untrusted pull request in the base repository context."
+authors: [cloudposse]
+tags: [security, github-actions, ci-cd, docs]
+date: 2026-04-13
+---
+import Intro from '@site/src/components/Intro';
+
+<Intro>
+We removed a <code>pull_request_target</code>-based preview workflow from our documentation repository after a responsible disclosure from security researcher Aviv Donenfeld. This was the last remaining instance of this pattern in our GitHub organization. The issue was limited to pull request preview environments for this repository, there is no indication it was ever exploited, and the overall impact was minimal.
+</Intro>
+
+<!--truncate-->
+
+One of our long-standing best practices is requiring maintainer approval before running workflows triggered by pull requests. That eliminates an entire class of CI/CD attack vectors involving untrusted code execution.
+
+It is easy to assume that protection applies universally, including to workflows triggered by `pull_request_target`. That assumption breaks down when those workflows execute code, scripts, or artifacts influenced by an untrusted pull request.
+
+Workflows triggered by `pull_request_target` run in the context of the base repository. That is not inherently unsafe if all executed code comes strictly from a trusted and protected branch. The problem is when such workflows execute code influenced by an untrusted pull request, or publish pull request content into a trusted location or environment. In that case, they can bypass the assumptions many teams make about pull request approval gates and create an avoidable CI/CD exposure.
+
+## What we changed
+
+Following Aviv's report, we removed the affected pattern from this repository's pull request preview workflow.
+
+This was the last remaining instance of this pattern in our GitHub organization. We had already phased it out elsewhere some time ago, and it has now been fully removed here as well.
+
+## Scope and impact
+
+The issue was limited to preview environments for this documentation repository.
+
+- There is no indication the issue was ever exploited
+- We do not believe this had broader production impact
+- The overall severity was low, but the pattern itself was still worth eliminating
+
+## Why this matters
+
+This is one of those edge cases that is easy to miss because the workflow may still look "approved" or "maintainer-controlled" at first glance. The security boundary is different for `pull_request_target`, and that difference matters when the workflow executes anything influenced by untrusted pull request content.
+
+The practical takeaway is simple: `pull_request_target` can be a convenient choice for labeling pull requests. Beyond that, it should be used only when all executed code is strictly from a trusted and protected branch. Do not use it to execute code influenced by an untrusted pull request, or to publish pull request content into a trusted location or environment.
+
+## Guidance for customers and the community
+
+Because this repository is our documentation site, we are also using this as an opportunity to point customers and the community to the upstream guidance we recommend reviewing:
+
+- [GitHub Actions: `pull_request_target` event](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target)
+- [GitHub Actions security hardening](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions)
+- [GitHub Security Lab: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)
+
+We appreciate researchers like Aviv who take the time to surface issues like this clearly and responsibly. In this case, the report was thorough, accurate, and directly actionable.

docs/layers/atmos-pro/tutorials/migrate-from-github-actions-gitops.mdx

@@ -80,7 +80,6 @@ Before removing the legacy workflows:
 Once Atmos Pro is working correctly, remove the legacy workflow files:
 
 <Steps>
-1. `.github/workflows/atmos-terraform-plan.yaml`
 1. `.github/workflows/atmos-terraform-apply.yaml`
 1. `.github/workflows/atmos-terraform-drift-detection.yaml`
 1. `.github/workflows/atmos-terraform-drift-remediation.yaml`

docs/layers/gitops/example-workflows.mdx

@@ -17,7 +17,7 @@ import PartialAtmosTerraformApplyMatrix from '@site/examples/legacy/snippets/.gi
 :::warning Deprecated
 These example workflows are for the legacy GitHub Actions GitOps approach.
 
-**The recommended approach now uses [Atmos Pro](/layers/atmos-pro/)**, which provides these workflows out-of-the-box with no custom configuration required.
+For current examples using Atmos Native CI, see [`cloudposse-examples/atmos-native-ci`](https://github.com/cloudposse-examples/atmos-native-ci) and the [Atmos CI documentation](https://atmos.tools/ci).
 
 This content is preserved for users with existing GitHub Actions GitOps deployments.
 :::

docs/layers/gitops/faq.mdx

@@ -7,7 +7,7 @@ sidebar_position: 10
 :::warning Deprecated
 This FAQ is for the legacy GitHub Actions GitOps approach.
 
-**The recommended approach now uses [Atmos Pro](/layers/atmos-pro/)**.
+For current examples using Atmos Native CI, see [`cloudposse-examples/atmos-native-ci`](https://github.com/cloudposse-examples/atmos-native-ci) and the [Atmos CI documentation](https://atmos.tools/ci).
 
 This content is preserved for users with existing GitHub Actions GitOps deployments.
 :::
@@ -75,4 +75,4 @@ To resolve this error, thoroughly read through each of the [Authentication Prere
 
 ### How does GitHub OIDC work with AWS?
 
-Please see [How to use GitHub OIDC with AWS](/layers/github-actions/github-oidc-with-aws)
+Please see [How to use GitHub OIDC with AWS](/layers/github-actions/github-oidc-with-aws)

docs/layers/gitops/gitops.mdx

@@ -13,10 +13,7 @@ import CodeBlock from '@theme/CodeBlock';
 :::warning Deprecated
 This documentation describes the legacy GitHub Actions GitOps approach for Terraform automation.
 
-**The recommended approach now uses [Atmos Pro](/layers/atmos-pro/)**, which provides:
-- Integrated plan/apply workflows with no custom configuration
-- Built-in drift detection and remediation
-- Seamless integration with AWS SSO via `iam-role` component
+For current examples using Atmos Native CI, see [`cloudposse-examples/atmos-native-ci`](https://github.com/cloudposse-examples/atmos-native-ci) and the [Atmos CI documentation](https://atmos.tools/ci).
 
 This content is preserved for users with existing GitHub Actions GitOps deployments.
 :::
@@ -65,6 +62,8 @@ Once the required S3 Bucket, DynamoDB table, and two separate roles to access Te
 ## References
 
 - [Setup Documentation](/layers/gitops/setup)
+- [Atmos CI documentation](https://atmos.tools/ci)
+- [`cloudposse-examples/atmos-native-ci`](https://github.com/cloudposse-examples/atmos-native-ci)
 - [Atmos integration documentation](https://atmos.tools/category/integrations/github-actions).
 - [GitHub OIDC Integration with AWS](/layers/github-actions/github-oidc-with-aws)
 - [`cloudposse/github-action-atmos-terraform-plan`](https://github.com/cloudposse/github-action-atmos-terraform-plan)
@@ -74,4 +73,3 @@ Once the required S3 Bucket, DynamoDB table, and two separate roles to access Te
 - [`gitops/s3-bucket`](/components/library/aws/s3-bucket/): Deploy a S3 Bucket using the `s3-bucket` component. This bucket holds Terraform planfiles.
 - [`gitops/dynamodb`](/components/library/aws/dynamodb/): Deploy a DynamoDB table using the `dynamodb` component. This table is used to hold metadata for Terraform Plans
 - [`github-oidc-role`](/components/library/aws/github-oidc-role/): Deploys an IAM Role that GitHub is able to assume via GitHub OIDC. This role has access to the bucket and table for planfiles.
-

docs/layers/gitops/setup.mdx

@@ -16,7 +16,7 @@ import CodeBlock from '@theme/CodeBlock';
 :::warning Deprecated
 This documentation describes the legacy GitHub Actions GitOps setup.
 
-**The recommended approach now uses [Atmos Pro](/layers/atmos-pro/)**, which provides integrated Terraform automation with no custom workflow configuration required.
+For current examples using Atmos Native CI, see [`cloudposse-examples/atmos-native-ci`](https://github.com/cloudposse-examples/atmos-native-ci) and the [Atmos CI documentation](https://atmos.tools/ci).
 
 This content is preserved for users with existing GitHub Actions GitOps deployments.
 :::

examples/legacy/snippets/.github/workflows/atmos-terraform-plan.yaml

@@ -2,7 +2,7 @@ name: 👽 Atmos Terraform Plan
 run-name: 👽 Atmos Terraform Plan
 
 on:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - synchronize
@@ -18,7 +18,8 @@ jobs:
   atmos-affected:
     if: ${{ !contains( github.event.pull_request.labels.*.name, 'no-plan') }}
     name: Determine Affected Stacks
-    runs-on: 
+    environment: plan
+    runs-on:
       - runs-on=${{ github.run_id }}
       - runner=terraform
       - extras=s3-cache
@@ -30,7 +31,7 @@ jobs:
           atmos-version: ${{ vars.ATMOS_VERSION }}
           atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }}
           base-ref: ${{ github.event.pull_request.base.sha }}
-          head-ref: ${{ github.event.pull_request.head.sha }}
+          head-ref: ${{ github.sha }}
     outputs:
       stacks: ${{ steps.affected.outputs.matrix }}
       has-affected-stacks: ${{ steps.affected.outputs.has-affected-stacks }}
@@ -48,6 +49,5 @@ jobs:
       stacks: ${{ matrix.items }}
       atmos-version: ${{ vars.ATMOS_VERSION }}
       atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }}
-      sha: ${{ github.event.pull_request.head.sha }}
+      sha: ${{ github.sha }}
     secrets: inherit
-