Fix secrets access in foreign PRs (#934)
This commit is contained in:
parent
e2307d7dbf
commit
3a86687ae7
10
.github/workflows/fuzz.yml
vendored
10
.github/workflows/fuzz.yml
vendored
@ -1,7 +1,13 @@
|
|||||||
name: Sus Fuzzing
|
name: Sus Fuzzing
|
||||||
|
|
||||||
on:
|
on:
|
||||||
pull_request:
|
# pull_request_target can be dangerous but necessary here to access secrets.
|
||||||
|
# I'm pretty comfortable using it because:
|
||||||
|
# - We limit all permissions (including GITHUB_TOKEN) to read-only
|
||||||
|
# - We limit runs to labelled PRs only which prevents random exploitation
|
||||||
|
# - We don't expose secrets in environment variables which makes exploitation much more difficult
|
||||||
|
# - The secrets that we reference aren't all that important anyways (they can only access our DigitalOcean Space)
|
||||||
|
pull_request_target:
|
||||||
types: [labeled, synchronize]
|
types: [labeled, synchronize]
|
||||||
push:
|
push:
|
||||||
paths:
|
paths:
|
||||||
@ -17,6 +23,8 @@ on:
|
|||||||
description: How long should fuzzing last? (sleep time argument)
|
description: How long should fuzzing last? (sleep time argument)
|
||||||
default: 15m
|
default: 15m
|
||||||
|
|
||||||
|
permissions: read-all
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
fuzz:
|
fuzz:
|
||||||
if: github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'pr:fuzz')
|
if: github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'pr:fuzz')
|
||||||
|
Loading…
Reference in New Issue
Block a user