Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: extend GHA integration to support
pull_request_target
events
This change makes it possible to use the GitHub Action (GHA) integration for PRs that originate from forks, by enabling workflows to run on the `pull_request_target` event. This change is simple enough, but comes with some heavy security considerations. In order for the GHA to run, a workflow using it will need to checkout the PRs code. This requires very careful attention so as not to allow so-called "pwn requests": * securitylab.github.com/research/github-actions-preventing-pwn-requests * blog.gitguardian.com/github-actions-security-cheat-sheet To that end, the documentation updates that go with this change will be explicit in their warnings about how to properly use the Phylum GHA in the most secure way possible. This effectively means the workflow should be limited to executing the bare minimum required for Phylum analysis. Further, the Phylum analysis that does run will need to do so in a way that does not allow for arbitrary code execution. Therefore, this PR is intended to be held back until the Phylum CLI adds some additional protections around lockfile generation. Closes #331
- Loading branch information