codeigniter4
chore: make greetings on PR First-time Contrib
Description Ref codeigniter4/CodeIgniter4#8878.
Checklist:
- [x] Securely signed commits
- [ ] Component(s) with PHPDoc blocks, only if necessary or adds value
- [ ] Unit testing, with >80% coverage
- [ ] User guide updated
- [x] Conforms to style guide
By Claude 3 Sonnet.
Q: We are running an open source project on GitHub and using GitHub Actions for all pull requests. What are the security considerations when using pull_requedt_target in workflows?
When using the pull_request_target event in GitHub Actions workflows, there are some important security considerations to keep in mind:
-
Untrusted Code: The
pull_request_targetevent runs the workflow code from the pull request's head commit, which means it executes code from an untrusted source. This code could potentially be malicious, so it's crucial to ensure that your workflow doesn't perform any sensitive operations or expose any secrets. -
Code Injection: If your workflow includes steps that allow user input or use external data sources, there's a risk of code injection attacks. Malicious code could be injected into your workflow, leading to unintended actions or data leaks.
-
Permissions: By default, the
pull_request_targetevent runs with read-only permissions to the repository. However, if your workflow requires write access, you'll need to grant theGITHUB_TOKENpermissions explicitly. This introduces a potential risk if the workflow is compromised, as it could then make unauthorized changes to your repository. -
Secrets Exposure: If your workflow uses secrets (e.g., API keys, passwords), they could potentially be exposed to the untrusted code in the pull request. It's recommended to avoid using secrets in workflows triggered by the
pull_request_targetevent, or at least limit their usage to read-only operations. -
Resource Exhaustion: Malicious pull requests could attempt to overwhelm your system resources (e.g., CPU, memory, disk space) by running resource-intensive operations in the workflow. It's important to set reasonable limits and monitor resource usage.
To mitigate these risks, consider the following best practices:
- Validate Inputs: Sanitize and validate all inputs and data sources used in your workflow to prevent code injection attacks.
-
Minimize Permissions: Grant the minimum required permissions to the
GITHUB_TOKENor use a custom token with limited scope. -
Avoid Secrets: If possible, avoid using secrets in workflows triggered by the
pull_request_targetevent. If you must use secrets, ensure they are only used for read-only operations. - Resource Limits: Set appropriate resource limits for your workflows to prevent resource exhaustion attacks.
- Code Review: Thoroughly review the code in pull requests before merging, especially if the workflow performs sensitive operations.
- Monitoring and Logging: Implement monitoring and logging mechanisms to detect and respond to potential security incidents or misuse.
- Security Updates: Keep your GitHub Actions environment and dependencies up-to-date with the latest security patches and updates.
By following these best practices, you can mitigate the risks associated with running untrusted code in your GitHub Actions workflows and maintain a secure environment for your open-source project.
Based on actions/first-interaction's readme, it is enough to use pull_request event:
https://github.com/actions/first-interaction?tab=readme-ov-file#usage
@ddevsr Thank you. But did you test this works on pull requests by contributers?
By ChatGPT.
Using pull_request_target in GitHub Actions workflows comes with several security considerations, especially for open-source projects where pull requests (PRs) may come from untrusted contributors. Here’s what you need to keep in mind:
1. Access to Secrets
- Workflows triggered by
pull_request_targetrun in the context of the base repository (i.e., the repository into which the PR is being merged). This means they have access to secrets and can perform actions with the repository's permissions. - An attacker could potentially submit a malicious PR to exploit this, accessing secrets or performing unauthorized actions.
2. Careful with Untrusted Code
- Avoid checking out and running untrusted code directly from the PR in these workflows. If you do need to check out the PR, consider using
actions/checkoutwithref: ${{ github.event.pull_request.head.ref }}instead of the PR’s branch, but be cautious. - One safer approach is to validate the PR (e.g., linting, formatting, running tests) without exposing secrets or doing anything sensitive.
3. Use Limited Scopes
- Ensure the GitHub token (
GITHUB_TOKEN) or any other credentials used in the workflow are scoped appropriately, limiting permissions as much as possible. - Consider using the
permissionskey in the workflow file to restrict the default permissions of theGITHUB_TOKEN.
4. Review and Approval
- Implement mandatory code reviews before workflows using
pull_request_targetcan be merged. This adds an additional layer of protection by ensuring that a maintainer reviews potentially malicious code before it executes.
5. Limit Workflow Modifications
- Be cautious about allowing workflows or configuration files to be modified in PRs, as these changes could be exploited. Ensure that any changes to workflow files are reviewed thoroughly.
6. Consider Alternative Triggers
- For untrusted code or contributors, consider using
pull_requestinstead ofpull_request_targetif you don’t need access to secrets or write permissions. This trigger runs in the context of the fork, offering more isolation.
7. Custom Environment Variables
- Be careful when passing custom environment variables to workflows triggered by
pull_request_target. Avoid passing sensitive information directly from the PR.
Summary
Using pull_request_target is powerful but should be approached with caution, especially in open-source projects. The key is to limit exposure and access to sensitive resources, thoroughly review untrusted code, and ensure workflows are tightly controlled and reviewed.