fix(ci): use merge commit ref in backport workflow for fork PRs#820
Conversation
The backport workflow uses pull_request_target which runs with the base repo's privileges. Recent actions/checkout versions now block checking out fork PR code in this context to prevent "pwn request" attacks. Since the backport only runs on already-merged PRs, use the merge commit SHA from the base repo instead of the fork's head SHA. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThe backport workflow's ChangesBackport Workflow Ref Fix
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary
pull_request_target, which runs with the base repo's privileges (secrets, tokens, cache)actions/checkoutversions now block checking out fork PR code in this context to prevent "pwn request" attackshead.sha(fork code) tomerge_commit_sha(base repo code) -- avoiding the security issue entirelyTest plan
backport/*label and verify the backport PR is created correctly🤖 Generated with Claude Code