From 3a86687ae7208dd5e03bc1bad2a832238cd2200b Mon Sep 17 00:00:00 2001
From: Auguste Rame <19855629+SuperAuguste@users.noreply.github.com>
Date: Sun, 22 Jan 2023 14:54:38 -0500
Subject: [PATCH] Fix secrets access in foreign PRs (#934)

---
 .github/workflows/fuzz.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml
index cd532a0..dea1026 100644
--- a/.github/workflows/fuzz.yml
+++ b/.github/workflows/fuzz.yml
@@ -1,7 +1,13 @@
 name: Sus Fuzzing
 
 on:
-  pull_request:
+  # pull_request_target can be dangerous but necessary here to access secrets.
+  # I'm pretty comfortable using it because:
+  # - We limit all permissions (including GITHUB_TOKEN) to read-only
+  # - We limit runs to labelled PRs only which prevents random exploitation
+  # - We don't expose secrets in environment variables which makes exploitation much more difficult
+  # - The secrets that we reference aren't all that important anyways (they can only access our DigitalOcean Space)
+  pull_request_target:
     types: [labeled, synchronize]
   push:
     paths:
@@ -17,6 +23,8 @@ on:
         description: How long should fuzzing last? (sleep time argument)
         default: 15m
 
+permissions: read-all
+
 jobs:
   fuzz:
     if: github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'pr:fuzz')