changed pull_request_target to pull_request for better security in wo…

…rkflow (#758)
auth0 · Sep 6, 2024 · cea3c17 · cea3c17
2 parents d8ac49e + 886ba6c
commit cea3c17
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 19 deletions.
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -2,7 +2,7 @@ name: Semgrep
 
 on:
   merge_group:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - synchronize
@@ -20,15 +20,8 @@ concurrency:
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
 
 jobs:
-  authorize:
-    name: Authorize
-    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - run: true
 
   run:
-    needs: authorize # Require approval before running on forked pull requests
 
     name: Check for Vulnerabilities
     runs-on: ubuntu-latest

diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
@@ -3,7 +3,7 @@ name: Snyk
 on:
   merge_group:
   workflow_dispatch:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - synchronize
@@ -21,15 +21,9 @@ concurrency:
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
 
 jobs:
-  authorize:
-    name: Authorize
-    environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - run: true
+
 
   check:
-    needs: authorize
 
     name: Check for Vulnerabilities
     runs-on: ubuntu-latest

diff --git a/.snyk b/.snyk
@@ -5,16 +5,16 @@ ignore:
   SNYK-JAVA-COMFASTERXMLWOODSTOX-3091135:
     - '*':
         reason: Latest version of dokka has this vulnerability
-        expires: 2024-08-31T12:08:37.765Z
+        expires: 2024-10-31T12:19:35.000Z
         created: 2024-08-01T12:08:37.770Z
   SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744:
     - '*':
         reason: Latest version of dokka has this vulnerability
-        expires: 2024-08-31T12:08:55.924Z
+        expires: 2024-10-31T12:19:35.000Z
         created: 2024-08-01T12:08:55.927Z
   SNYK-JAVA-COMFASTERXMLJACKSONCORE-7569538:
     - '*':
         reason: Latest version of dokka has this vulnerability
-        expires: 2024-08-31T12:08:02.966Z
+        expires: 2024-10-31T12:19:35.000Z
         created: 2024-08-01T12:08:02.973Z
 patch: {}