github
Dependabot Actions troubleshooting suggestions might be insecure
Code of Conduct
- [x] I have read and agree to the GitHub Docs project's Code of Conduct
What article on docs.github.com is affected?
https://github.com/github/docs/blob/e2f952a115fc4cb3d34281b1fa472ac3cd33e7da/data/reusables/dependabot/dependabot-on-actions-troubleshooting-workflows.md?plain=1#L7-L8
What part(s) of the article would you like to see updated?
- It currently recommends a
if: github.actor != 'dependabot[bot]'check Maybe (at least for pull requests) it would be safer to usegithub.event.pull_request.user.login != 'dependabot[bot]'. Otherwise malicious users could abuse this to skip certain workflows, see related https://www.synacktiv.com/publications/github-actions-exploitation-dependabot. - It currently suggests using
pull_request_targetand a "two-step process" without going into detail. It might be safer to not recommendpull_request_target(due to its inherent security risks), but rather suggest increasing thepermissionsand using Dependabot secrets (which is bullet point 3 of that recommendations list, so maybe this point 2 can simply be omitted?).
Additional information
I am not completely sure about the proposed changes, so please let me know if I forget to consider something, or if something I wrote is incorrect.
Thanks so much for opening another issue! I'll get this triaged for review, too.
Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert :eyes:
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This is a gentle bump for the docs team that this issue is waiting for technical review.
This is a gentle reminder for the docs team that this issue is waiting for technical review by a subject matter expert (SME).