Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests | GitHub Security Lab
Fri May 12 2023 15:06:47 GMT+0000 (Coordinated Universal Time)
Saved by
@mybusybeeadmin
# INSECURE. Provided as an example only.
on:
pull_request_target
jobs:
build:
name: Build and test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
ref: ${{ github.event.pull_request.head.sha }}
- uses: actions/setup-node@v1
- run: |
npm install
npm build
- uses: completely/fakeaction@v2
with:
arg1: ${{ secrets.supersecret }}
- uses: fakerepo/comment-on-pr@v1
with:
message: |
Thank you!
content_copyCOPY
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
Comments