Fix secrets access in foreign PRs (#934)

This commit is contained in:
Auguste Rame 2023-01-22 14:54:38 -05:00 committed by GitHub
parent e2307d7dbf
commit 3a86687ae7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -1,7 +1,13 @@
name: Sus Fuzzing name: Sus Fuzzing
on: on:
pull_request: # pull_request_target can be dangerous but necessary here to access secrets.
# I'm pretty comfortable using it because:
# - We limit all permissions (including GITHUB_TOKEN) to read-only
# - We limit runs to labelled PRs only which prevents random exploitation
# - We don't expose secrets in environment variables which makes exploitation much more difficult
# - The secrets that we reference aren't all that important anyways (they can only access our DigitalOcean Space)
pull_request_target:
types: [labeled, synchronize] types: [labeled, synchronize]
push: push:
paths: paths:
@ -17,6 +23,8 @@ on:
description: How long should fuzzing last? (sleep time argument) description: How long should fuzzing last? (sleep time argument)
default: 15m default: 15m
permissions: read-all
jobs: jobs:
fuzz: fuzz:
if: github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'pr:fuzz') if: github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'pr:fuzz')