Skip to content

Use pull_request_target for mattermost.yml#2713

Open
addshore wants to merge 1 commit into
wmde:mainfrom
addshore:pr-notify
Open

Use pull_request_target for mattermost.yml#2713
addshore wants to merge 1 commit into
wmde:mainfrom
addshore:pr-notify

Conversation

@addshore
Copy link
Copy Markdown
Contributor

@addshore addshore commented May 3, 2026
edited by outdooracorn
Loading

Make the workflow run from the target/base branch instead of PR source branch so that it has access to repo secrets 1.

User provided PRs can not change the workflow code that is running, unless the repo is already compromised.

@addshore
Use pull_request_target for mattermost.yml
d8ee33c 
workflow runs from the target/base branch (your main),
and has access to repo secrets.
However user provided PRs can thus not change the workflow code that
is running, unless your repo is already compromised
outdooracorn
outdooracorn reviewed May 3, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@outdooracorn outdooracorn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So what does this PR do? Please state that in the PR description.

Comment thread .github/workflows/mattermost.yml
pull_request_target:
types: [ opened, reopened ]

permissions: {}
Copy link
Copy Markdown
Member

@outdooracorn outdooracorn May 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How come this change?

Copy link
Copy Markdown
Contributor Author

@addshore addshore May 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#permissions:~:text=When%20a%20workflow%20is%20triggered%20by%20the%20pull_request_target%20event%2C%20the%20GITHUB_TOKEN%20is%20granted%20read/write%20repository%20permission%2C%20even%20when%20it%20is%20triggered%20from%20a%20public%20fork.%20For%20more%20information%2C%20see%20Events%20that%20trigger%20workflows.

addshore
addshore commented May 3, 2026
View reviewed changes
Comment thread .github/workflows/mattermost.yml
runs-on: ubuntu-latest
if: ${{ github.actor != 'dependabot[bot]' }}
steps:
- uses: mattermost/action-mattermost-notify@2.0.0
Copy link
Copy Markdown
Contributor Author

@addshore addshore May 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Arguably another improvement would either be pinning this image, OR just not using the image and calling the webhook directly.
As this action is technically unpinned external code (however this was a problem that already existed)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@outdooracorn outdooracorn outdooracorn left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@addshore @outdooracorn