Fix secrets access in foreign PRs (#934)

2023-01-22 14:54:38 -05:00 · 2023-01-22 14:54:38 -05:00 · 3a86687ae7
commit 3a86687ae7
parent e2307d7dbf
1 changed files with 9 additions and 1 deletions
--- a/.github/workflows/fuzz.yml
+++ b/.github/workflows/fuzz.yml
@ -1,7 +1,13 @@
 name: Sus Fuzzing

 on:
-  pull_request:
+  # pull_request_target can be dangerous but necessary here to access secrets.
+  # I'm pretty comfortable using it because:
+  # - We limit all permissions (including GITHUB_TOKEN) to read-only
+  # - We limit runs to labelled PRs only which prevents random exploitation
+  # - We don't expose secrets in environment variables which makes exploitation much more difficult
+  # - The secrets that we reference aren't all that important anyways (they can only access our DigitalOcean Space)
+  pull_request_target:
    types: [labeled, synchronize]
  push:
    paths:
@ -17,6 +23,8 @@ on:
        description: How long should fuzzing last? (sleep time argument)
        default: 15m

+permissions: read-all
+
 jobs:
  fuzz:
    if: github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'pr:fuzz')