I was very interested in the post on the security blog: https://securitylab.github.com/research/github-actions-preventing-pwn-requests, but I noticed that it’s possible to force the
workflow_run action to post to the wrong PR if
ReceivePR.yaml is modified to spoof an accepted PR number.
I want to set up an action that prevents other actions from running in the case that an action yaml file is modified in a pull request. This is not to prevent these files from changing at all, but it’s more to prevent certain actions from running if a PR includes any changes to the action yaml files. Does anyone know how to do this?
One of my concerns is that I’ve found that
pull_request and even
pull_request_target triggers will run from the code in a forked repository, meaning that it’s possible to bypass any checks that are run in the pull request (e.g. spoof a PR number for the subsequent
workflow_run action, or remove restricted
paths from the workflow control). At that point, it comes down to the maintainers to make sure there is no malicious code.