Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

About that security warning #4

Open
pllim opened this issue Jul 13, 2023 · 2 comments
Open

About that security warning #4

pllim opened this issue Jul 13, 2023 · 2 comments

Comments

@pllim
Copy link

pllim commented Jul 13, 2023

To remove the security warning, theoretically you could run this action only on push commit to main, then you can check if it is a merge commit and if the merge commit was created from merging a PR. If not, then just a no-op, but yes, then you run the milestone thingy.
@stefanv
Copy link
Member

stefanv commented Aug 1, 2023

I'm missing some context here, but yes we could filter inside the action. The action already checks if a merge was made before adding the milestone, IIRC.

@pllim
Copy link
Author

pllim commented Aug 1, 2023

Sorry, I am talking about this:

attach-next-milestone-action/README.md

Lines 60 to 65 in bc07be8

## Warning!
The workflow above runs as `pull_request_target`, meaning it has access to repository secrets.
This is not usually a problem, since our action does nothing but attach a milestone to a PR using the provided token.
But, you should **not add further commands to the workflow**, such as checking out the PR and executing code from it.
If you do that, PR authors can gain access to your secrets.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stefanv @pllim