Prevent actions from running if actions yaml files are modified

I was very interested in the post on the security blog: https://securitylab.github.com/research/github-actions-preventing-pwn-requests, but I noticed that it’s possible to force the workflow_run action to post to the wrong PR if ReceivePR.yaml is modified to spoof an accepted PR number.

I want to set up an action that prevents other actions from running in the case that an action yaml file is modified in a pull request. This is not to prevent these files from changing at all, but it’s more to prevent certain actions from running if a PR includes any changes to the action yaml files. Does anyone know how to do this?

One of my concerns is that I’ve found that pull_request and even pull_request_target triggers will run from the code in a forked repository, meaning that it’s possible to bypass any checks that are run in the pull request (e.g. spoof a PR number for the subsequent workflow_run action, or remove restricted paths from the workflow control). At that point, it comes down to the maintainers to make sure there is no malicious code.

I’m going to answer my own question for the poor souls of the future who stumble here.

The payload of a workflow_run triggered from a pull_request contains head_commit. With this, if you get the pull request using the API, you can use ${{ pullRequest.data.head.sha }} == ${{ github.event.workflow_run.head_commit.sha }} to identify if the pull request has been spoofed.

You can also get a list of the files with octokit.pulls.ListFiles() and check that none of them start with .github/.

FWIW, I wrote my own action to do this: GitHub - zkamvar/check-valid-pr