From 81db9f345a5955747bfae8f12192b25a6e9b7099 Mon Sep 17 00:00:00 2001 From: wrslatz Date: Tue, 29 Apr 2025 12:15:23 -0400 Subject: [PATCH 01/39] docs: untrusted code risks in actions --- .../actions/reference/security/secure-use.md | 48 ++++++++++++++++++- 1 file changed, 47 insertions(+), 1 deletion(-) diff --git a/content/actions/reference/security/secure-use.md b/content/actions/reference/security/secure-use.md index 8876f100de3e..7716aa2127ef 100644 --- a/content/actions/reference/security/secure-use.md +++ b/content/actions/reference/security/secure-use.md @@ -105,7 +105,53 @@ For more information, see [AUTOTITLE](/code-security/code-scanning/introduction- To help mitigate the risk of an exposed token, consider restricting the assigned permissions. For more information, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token). -### Using third-party actions +{% ifversion custom-org-roles %} + +## Understanding the risks of untrusted code checkout + +Similar to script injection attacks, untrusted pull request content that automatically triggers Actions processing can also pose a security risk. The `pull_request_target` and `workflow_run` workflow triggers, when used with the checkout of an untrusted pull request, expose the repository to security compromises. These workflows have write access and access to secrets in the target repository, which can be exploited to take over a repository. + +Review the [`pull_request_target` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) and the [`workflow_run` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflow-run) for more information on these triggers, how to use them, and the risks associated with them. + +For additional explanation, examples, and guidance on the risks of untrusted code checkout, see [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) from GitHub Security Lab and the [Dangerous Workflow check documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) from OpenSSF Scorecard. + +## Good practices for mitigating untrusted code checkout risks + +There are a number of different approaches available to help you mitigate the risk of untrusted code checkout in Actions workflows: + +### Avoid potentially dangerous workflow triggers + +Avoid using the `pull_request_target` and `workflow_run` workflow triggers if not necessary. Only use these workflow triggers when the workflow actually needs the privileged context and access from the target repo to be available in the workflow. + +### Do not use the `pull_request_target` and `workflow_run` workflow triggers with untrusted content + +Avoid using the `pull_request_target` and `workflow_run` workflow triggers with untrusted pull requests or code content. Workflows that use these triggers must not explicitly checkout untrusted code, including from pull request forks or from repositories that are not under your control. + +### Use CodeQL to detect potentially vulnerable workflows + +[CodeQL](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql) can scan and detect potentially vulnerable GitHub Actions workflows. [Configure the default setup for CodeQL](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning) for the repository and ensure that GitHub Actions scanning is enabled. + +### Use OpenSSF Scorecards to detect potentially vulnerable workflows + +[OpenSSF Scorecards](#use-openssf-scorecards-to-detect-potentially-vulnerable-workflows) can help you identify potentially vulnerable workflows, along with other security risks when using GitHub Actions. + +## Managing permissions for {% data variables.product.prodname_actions %} settings in your organization + +You can practice the principle of least privilege for your organization's CI/CD pipeline with {% data variables.product.prodname_actions %} by administering custom organization roles. A custom organization role is a way to grant an individual or team in your organization the ability to control certain subsets of settings without granting full administrative control of the organization and its repositories. + +{% data reusables.actions.org-roles-for-gh-actions %} + +For more information, see [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles). + +{% endif %} + +## Using OpenID Connect to access cloud resources + +{% data reusables.actions.about-oidc-short-overview %} + +{% data reusables.actions.oidc-custom-claims-aws-restriction %} + +## Using third-party actions The individual jobs in a workflow can interact with (and compromise) other jobs. For example, a job querying the environment variables used by a later job, writing files to a shared directory that a later job processes, or even more directly by interacting with the Docker socket and inspecting other running containers and executing commands in them. From e4df5a1c63c3449368afee569bd7c065a5c5720c Mon Sep 17 00:00:00 2001 From: wrslatz Date: Tue, 29 Apr 2025 12:17:05 -0400 Subject: [PATCH 02/39] docs: expand pull_request_target warning links --- .../actions/pull-request-target-permissions-warning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/reusables/actions/pull-request-target-permissions-warning.md b/data/reusables/actions/pull-request-target-permissions-warning.md index 019b53f520eb..69ca2c1dcbe1 100644 --- a/data/reusables/actions/pull-request-target-permissions-warning.md +++ b/data/reusables/actions/pull-request-target-permissions-warning.md @@ -1,2 +1,2 @@ > [!WARNING] -> For workflows that are triggered by the `pull_request_target` event, the `GITHUB_TOKEN` is granted read/write repository permission unless the `permissions` key is specified and the workflow can access secrets, even when it is triggered from a fork. Although the workflow runs in the context of the base of the pull request, you should make sure that you do not check out, build, or run untrusted code from the pull request with this event. Additionally, any caches share the same scope as the base branch. To help prevent cache poisoning, you should not save the cache if there is a possibility that the cache contents were altered. For more information, see [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests) on the GitHub Security Lab website. +> For workflows that are triggered by the `pull_request_target` event, the `GITHUB_TOKEN` is granted read/write repository permission unless the `permissions` key is specified and the workflow can access secrets, even when it is triggered from a fork. Although the workflow runs in the context of the base of the pull request, you should make sure that you do not check out, build, or run untrusted code from the pull request with this event. Additionally, any caches share the same scope as the base branch. To help prevent cache poisoning, you should not save the cache if there is a possibility that the cache contents were altered. For more information, see [Understanding the risks of untrusted code checkout](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risks-of-untrusted-code-checkout) in the Security Hardening for GitHub Actions documentation and [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests) on the GitHub Security Lab website. From bccd3760bc3e707d69ae48026223b466163fed9a Mon Sep 17 00:00:00 2001 From: wrslatz Date: Tue, 29 Apr 2025 12:18:33 -0400 Subject: [PATCH 03/39] docs: warning for workflow_run security risks --- .../workflows-and-actions/events-that-trigger-workflows.md | 2 ++ data/reusables/actions/workflow-run-permissions-warning.md | 2 ++ 2 files changed, 4 insertions(+) create mode 100644 data/reusables/actions/workflow-run-permissions-warning.md diff --git a/content/actions/reference/workflows-and-actions/events-that-trigger-workflows.md b/content/actions/reference/workflows-and-actions/events-that-trigger-workflows.md index 8c4fe351820b..2edad4d26814 100644 --- a/content/actions/reference/workflows-and-actions/events-that-trigger-workflows.md +++ b/content/actions/reference/workflows-and-actions/events-that-trigger-workflows.md @@ -1222,6 +1222,8 @@ For more information, see the {% data variables.product.prodname_cli %} informat This event occurs when a workflow run is requested or completed. It allows you to execute a workflow based on execution or completion of another workflow. The workflow started by the `workflow_run` event is able to access secrets and write tokens, even if the previous workflow was not. This is useful in cases where the previous workflow is intentionally not privileged, but you need to take a privileged action in a later workflow. +{% data reusables.actions.workflow-run-permissions-warning %} + In this example, a workflow is configured to run after the separate "Run Tests" workflow completes. ```yaml diff --git a/data/reusables/actions/workflow-run-permissions-warning.md b/data/reusables/actions/workflow-run-permissions-warning.md new file mode 100644 index 000000000000..23d9aad1d0ac --- /dev/null +++ b/data/reusables/actions/workflow-run-permissions-warning.md @@ -0,0 +1,2 @@ +> [!WARNING] +> For workflows that are triggered by the `workflow_run` event, the `GITHUB_TOKEN` is granted read/write repository permission unless the `permissions` key is specified and the workflow can access secrets, even when it is triggered from a fork. You should make sure that you do not check out, build, or run untrusted code from the pull request or other untrusted sources with this event. Additionally, any caches share the same scope as the base branch. To help prevent cache poisoning, you should not save the cache if there is a possibility that the cache contents were altered. For more information, see [Understanding the risks of untrusted code checkout](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risks-of-untrusted-code-checkout) in the Security Hardening for GitHub Actions documentation and [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests) on the GitHub Security Lab website. From e6a50fb5ba48994195e10f794a662b6f292ea307 Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Wed, 9 Jul 2025 17:23:45 -0700 Subject: [PATCH 04/39] Update content/actions/how-tos/security-for-github-actions/security-guides/security-hardening-for-github-actions.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jaroslav Lobačevski Co-authored-by: Will Slattum --- content/actions/reference/security/secure-use.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/actions/reference/security/secure-use.md b/content/actions/reference/security/secure-use.md index 7716aa2127ef..3933bba691e5 100644 --- a/content/actions/reference/security/secure-use.md +++ b/content/actions/reference/security/secure-use.md @@ -125,7 +125,7 @@ Avoid using the `pull_request_target` and `workflow_run` workflow triggers if no ### Do not use the `pull_request_target` and `workflow_run` workflow triggers with untrusted content -Avoid using the `pull_request_target` and `workflow_run` workflow triggers with untrusted pull requests or code content. Workflows that use these triggers must not explicitly checkout untrusted code, including from pull request forks or from repositories that are not under your control. +Avoid using the `pull_request_target` and `workflow_run` workflow triggers with untrusted pull requests or code content. Workflows that use these triggers must not explicitly checkout untrusted code, including from pull request forks or from repositories that are not under your control. Workflows triggered on `workflow_run` should treat artifacts uploaded from other workflows with caution (i.e. as untrusted). ### Use CodeQL to detect potentially vulnerable workflows From 834a87794fca9edb8b494ffae49cfa3e43615e1b Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Wed, 9 Jul 2025 17:24:49 -0700 Subject: [PATCH 05/39] Update content/actions/how-tos/security-for-github-actions/security-guides/security-hardening-for-github-actions.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jaroslav Lobačevski Co-authored-by: Will Slattum --- content/actions/reference/security/secure-use.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/actions/reference/security/secure-use.md b/content/actions/reference/security/secure-use.md index 3933bba691e5..88fc5b569db4 100644 --- a/content/actions/reference/security/secure-use.md +++ b/content/actions/reference/security/secure-use.md @@ -109,7 +109,7 @@ To help mitigate the risk of an exposed token, consider restricting the assigned ## Understanding the risks of untrusted code checkout -Similar to script injection attacks, untrusted pull request content that automatically triggers Actions processing can also pose a security risk. The `pull_request_target` and `workflow_run` workflow triggers, when used with the checkout of an untrusted pull request, expose the repository to security compromises. These workflows have write access and access to secrets in the target repository, which can be exploited to take over a repository. +Similar to script injection attacks, untrusted pull request content that automatically triggers Actions processing can also pose a security risk. The `pull_request_target` and `workflow_run` workflow triggers, when used with the checkout of an untrusted pull request, expose the repository to security compromises. These workflows are privileged (i.e. they share the same cache of the main branch with other privileged workflow triggers, may have repository write access and access to referenced secrets), which can be exploited to take over a repository. Review the [`pull_request_target` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) and the [`workflow_run` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflow-run) for more information on these triggers, how to use them, and the risks associated with them. From 809c2c594fb752cf199e5dbd0ccd28f4125880b6 Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Wed, 9 Jul 2025 17:25:00 -0700 Subject: [PATCH 06/39] Update content/actions/how-tos/security-for-github-actions/security-guides/security-hardening-for-github-actions.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jaroslav Lobačevski Co-authored-by: Will Slattum --- content/actions/reference/security/secure-use.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/actions/reference/security/secure-use.md b/content/actions/reference/security/secure-use.md index 88fc5b569db4..2c8edcc7e7c8 100644 --- a/content/actions/reference/security/secure-use.md +++ b/content/actions/reference/security/secure-use.md @@ -121,7 +121,7 @@ There are a number of different approaches available to help you mitigate the ri ### Avoid potentially dangerous workflow triggers -Avoid using the `pull_request_target` and `workflow_run` workflow triggers if not necessary. Only use these workflow triggers when the workflow actually needs the privileged context and access from the target repo to be available in the workflow. +Avoid using the `pull_request_target` workflow trigger if not necessary. Prefer using `workflow_run` for privilege separation between workflows as described in [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests). Only use these workflow triggers when the workflow actually needs the privileged context. ### Do not use the `pull_request_target` and `workflow_run` workflow triggers with untrusted content From d03bd88ce97c7a85013428739215f39885824f84 Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Wed, 9 Jul 2025 17:25:11 -0700 Subject: [PATCH 07/39] Update data/reusables/actions/pull-request-target-permissions-warning.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jaroslav Lobačevski Co-authored-by: Will Slattum --- .../actions/pull-request-target-permissions-warning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/reusables/actions/pull-request-target-permissions-warning.md b/data/reusables/actions/pull-request-target-permissions-warning.md index 69ca2c1dcbe1..c93fce14d35e 100644 --- a/data/reusables/actions/pull-request-target-permissions-warning.md +++ b/data/reusables/actions/pull-request-target-permissions-warning.md @@ -1,2 +1,2 @@ > [!WARNING] -> For workflows that are triggered by the `pull_request_target` event, the `GITHUB_TOKEN` is granted read/write repository permission unless the `permissions` key is specified and the workflow can access secrets, even when it is triggered from a fork. Although the workflow runs in the context of the base of the pull request, you should make sure that you do not check out, build, or run untrusted code from the pull request with this event. Additionally, any caches share the same scope as the base branch. To help prevent cache poisoning, you should not save the cache if there is a possibility that the cache contents were altered. For more information, see [Understanding the risks of untrusted code checkout](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risks-of-untrusted-code-checkout) in the Security Hardening for GitHub Actions documentation and [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests) on the GitHub Security Lab website. +> For workflows that are triggered by the `pull_request_target` event, the `GITHUB_TOKEN` may be granted read/write repository permission (unless the `permissions` key is explicitly specified in the workflow or repository/organization default permission are set to Read-Only) and the workflow can access referenced secrets, even when it is triggered from a fork. Although the workflow runs in the context of the base of the pull request, you should be cautious if checking out untrusted code from the pull request with this event. Make sure that you do not build, or run untrusted code from the pull request. When `pull_request_target` is triggered against the main branch it shares the same cache as the other privileged workflows running in the context of the main branch. Running untrusted code on this trigger may lead to to cache poisoning. For more information, see [Understanding the risks of untrusted code checkout](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risks-of-untrusted-code-checkout) in the Security Hardening for GitHub Actions documentation and [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests) on the GitHub Security Lab website. From b1ff7f626772c861a5276d7bd5cf382d11a569d6 Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Wed, 9 Jul 2025 17:25:23 -0700 Subject: [PATCH 08/39] Update data/reusables/actions/workflow-run-permissions-warning.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jaroslav Lobačevski Co-authored-by: Will Slattum --- data/reusables/actions/workflow-run-permissions-warning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/reusables/actions/workflow-run-permissions-warning.md b/data/reusables/actions/workflow-run-permissions-warning.md index 23d9aad1d0ac..7ecbac9e71e0 100644 --- a/data/reusables/actions/workflow-run-permissions-warning.md +++ b/data/reusables/actions/workflow-run-permissions-warning.md @@ -1,2 +1,2 @@ > [!WARNING] -> For workflows that are triggered by the `workflow_run` event, the `GITHUB_TOKEN` is granted read/write repository permission unless the `permissions` key is specified and the workflow can access secrets, even when it is triggered from a fork. You should make sure that you do not check out, build, or run untrusted code from the pull request or other untrusted sources with this event. Additionally, any caches share the same scope as the base branch. To help prevent cache poisoning, you should not save the cache if there is a possibility that the cache contents were altered. For more information, see [Understanding the risks of untrusted code checkout](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risks-of-untrusted-code-checkout) in the Security Hardening for GitHub Actions documentation and [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests) on the GitHub Security Lab website. +> Workflows triggered by the `workflow_run` event are privileged (i.e. they share the same cache of the main branch with other privileged workflow triggers, may have repository write access and access to referenced secrets). You should make sure that you do not check out, build, or run untrusted code from the pull request or other untrusted sources with this event. The workflow shares the same cache as the other privileged workflows running in the context of the main branch. Running untrusted code on this trigger may lead to to cache poisoning. For more information, see [Understanding the risks of untrusted code checkout](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risks-of-untrusted-code-checkout) in the Security Hardening for GitHub Actions documentation and [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests) on the GitHub Security Lab website. From 1871bfa04f5a004614d50d87f53f10040c5365a3 Mon Sep 17 00:00:00 2001 From: wrslatz Date: Wed, 9 Jul 2025 21:15:48 -0400 Subject: [PATCH 09/39] docs: sync hardening info to enterprise-onboarding --- .../security-hardening-for-github-actions.md | 30 ++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md b/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md index bdb0a82a9c9e..375c71728d29 100644 --- a/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md +++ b/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md @@ -139,7 +139,7 @@ In this example, the attempted script injection is unsuccessful, which is reflec PR title did not start with 'octocat' ``` -With this approach, the value of the {% raw %}`${{ github.event.issue.title }}`{% endraw %} expression is stored in memory and used as a variable, and doesn't interact with the script generation process. In addition, consider using double quote shell variables to avoid [word splitting](https://github.com/koalaman/shellcheck/wiki/SC2086), but this is [one of many](https://mywiki.wooledge.org/BashPitfalls) general recommendations for writing shell scripts, and is not specific to {% data variables.product.prodname_actions %}. +With this approach, the value of the {% raw %}`${{ github.event.pull_request.title }}`{% endraw %} expression is stored in memory and used as a variable, and doesn't interact with the script generation process. In addition, consider using double quote shell variables to avoid [word splitting](https://github.com/koalaman/shellcheck/wiki/SC2086), but this is [one of many](https://mywiki.wooledge.org/BashPitfalls) general recommendations for writing shell scripts, and is not specific to {% data variables.product.prodname_actions %}. ### Using workflow templates for {% data variables.product.prodname_code_scanning %} @@ -152,6 +152,34 @@ For more information, see [AUTOTITLE](/code-security/code-scanning/introduction- To help mitigate the risk of an exposed token, consider restricting the assigned permissions. For more information, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token). +## Understanding the risks of untrusted code checkout + +Similar to script injection attacks, untrusted pull request content that automatically triggers Actions processing can also pose a security risk. The `pull_request_target` and `workflow_run` workflow triggers, when used with the checkout of an untrusted pull request, expose the repository to security compromises. These workflows are privileged (i.e. they share the same cache of the main branch with other privileged workflow triggers, may have repository write access and access to referenced secrets), which can be exploited to take over a repository. + +Review the [`pull_request_target` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) and the [`workflow_run` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflow-run) for more information on these triggers, how to use them, and the risks associated with them. + +For additional explanation, examples, and guidance on the risks of untrusted code checkout, see [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) from GitHub Security Lab and the [Dangerous Workflow check documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) from OpenSSF Scorecard. + +## Good practices for mitigating untrusted code checkout risks + +There are a number of different approaches available to help you mitigate the risk of untrusted code checkout in Actions workflows: + +### Avoid potentially dangerous workflow triggers + +Avoid using the `pull_request_target` workflow trigger if not necessary. Prefer using `workflow_run` for privilege separation between workflows as described in [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests). Only use these workflow triggers when the workflow actually needs the privileged context. + +### Do not use the `pull_request_target` and `workflow_run` workflow triggers with untrusted content + +Avoid using the `pull_request_target` and `workflow_run` workflow triggers with untrusted pull requests or code content. Workflows that use these triggers must not explicitly checkout untrusted code, including from pull request forks or from repositories that are not under your control. Workflows triggered on `workflow_run` should treat artifacts uploaded from other workflows with caution (i.e. as untrusted). + +### Use CodeQL to detect potentially vulnerable workflows + +[CodeQL](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql) can scan and detect potentially vulnerable GitHub Actions workflows. [Configure the default setup for CodeQL](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning) for the repository and ensure that GitHub Actions scanning is enabled. + +### Use OpenSSF Scorecards to detect potentially vulnerable workflows + +[OpenSSF Scorecards](#use-openssf-scorecards-to-detect-potentially-vulnerable-workflows) can help you identify potentially vulnerable workflows, along with other security risks when using GitHub Actions. + ## Managing permissions for {% data variables.product.prodname_actions %} settings in your organization You can practice the principle of least privilege for your organization's CI/CD pipeline with {% data variables.product.prodname_actions %} by administering custom organization roles. A custom organization role is a way to grant an individual or team in your organization the ability to control certain subsets of settings without granting full administrative control of the organization and its repositories. From 153ca4209ac5277c12e75dd6a51e96ffc337b18d Mon Sep 17 00:00:00 2001 From: Will Slattum Date: Mon, 14 Jul 2025 14:56:55 -0400 Subject: [PATCH 10/39] docs: fix grammar and improve content in reusables MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jaroslav Lobačevski --- .../actions/pull-request-target-permissions-warning.md | 2 +- data/reusables/actions/workflow-run-permissions-warning.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/data/reusables/actions/pull-request-target-permissions-warning.md b/data/reusables/actions/pull-request-target-permissions-warning.md index c93fce14d35e..774ed93b95c9 100644 --- a/data/reusables/actions/pull-request-target-permissions-warning.md +++ b/data/reusables/actions/pull-request-target-permissions-warning.md @@ -1,2 +1,2 @@ > [!WARNING] -> For workflows that are triggered by the `pull_request_target` event, the `GITHUB_TOKEN` may be granted read/write repository permission (unless the `permissions` key is explicitly specified in the workflow or repository/organization default permission are set to Read-Only) and the workflow can access referenced secrets, even when it is triggered from a fork. Although the workflow runs in the context of the base of the pull request, you should be cautious if checking out untrusted code from the pull request with this event. Make sure that you do not build, or run untrusted code from the pull request. When `pull_request_target` is triggered against the main branch it shares the same cache as the other privileged workflows running in the context of the main branch. Running untrusted code on this trigger may lead to to cache poisoning. For more information, see [Understanding the risks of untrusted code checkout](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risks-of-untrusted-code-checkout) in the Security Hardening for GitHub Actions documentation and [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests) on the GitHub Security Lab website. +> For workflows that are triggered by the `pull_request_target` event, the `GITHUB_TOKEN` may be granted read/write repository permission (unless the `permissions` key is explicitly specified in the workflow or repository/organization default permission are set to Read-Only) and the workflow can access referenced secrets, even when it is triggered from a fork. Although the workflow runs in the context of the base of the pull request, you should be cautious if checking out untrusted code from the pull request with this event. Make sure that you do not build, or run untrusted code from the pull request. When `pull_request_target` is triggered against the main branch it shares the same cache as the other privileged workflows running in the context of the main branch. Running untrusted code on this trigger may lead to cache poisoning. For more information, see [Understanding the risks of untrusted code checkout](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risks-of-untrusted-code-checkout) in the Security Hardening for GitHub Actions documentation and [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests) on the GitHub Security Lab website. diff --git a/data/reusables/actions/workflow-run-permissions-warning.md b/data/reusables/actions/workflow-run-permissions-warning.md index 7ecbac9e71e0..a2822d8544bf 100644 --- a/data/reusables/actions/workflow-run-permissions-warning.md +++ b/data/reusables/actions/workflow-run-permissions-warning.md @@ -1,2 +1,2 @@ > [!WARNING] -> Workflows triggered by the `workflow_run` event are privileged (i.e. they share the same cache of the main branch with other privileged workflow triggers, may have repository write access and access to referenced secrets). You should make sure that you do not check out, build, or run untrusted code from the pull request or other untrusted sources with this event. The workflow shares the same cache as the other privileged workflows running in the context of the main branch. Running untrusted code on this trigger may lead to to cache poisoning. For more information, see [Understanding the risks of untrusted code checkout](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risks-of-untrusted-code-checkout) in the Security Hardening for GitHub Actions documentation and [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests) on the GitHub Security Lab website. +> Workflows triggered by the `workflow_run` event are privileged (i.e. they share the same cache of the main branch with other privileged workflow triggers, may have repository write access and access to referenced secrets). You should make sure that you do not check out, build, or run untrusted code from the pull request or other untrusted sources with this event. The workflow shares the same cache as the other privileged workflows running in the context of the main branch. Running untrusted code on this trigger may lead to cache poisoning. For more information, see [Understanding the risks of untrusted code checkout](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risks-of-untrusted-code-checkout) in the Security Hardening for GitHub Actions documentation and [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests) on the GitHub Security Lab website. From 3b24c7d9b55969348af8f04ac535f1e938eeb06b Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Fri, 12 Sep 2025 09:27:36 -0700 Subject: [PATCH 11/39] Update content/actions/reference/security/secure-use.md --- content/actions/reference/security/secure-use.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/actions/reference/security/secure-use.md b/content/actions/reference/security/secure-use.md index ff7c63b53366..d8ee03b628c8 100644 --- a/content/actions/reference/security/secure-use.md +++ b/content/actions/reference/security/secure-use.md @@ -113,7 +113,7 @@ Similar to script injection attacks, untrusted pull request content that automat Review the [`pull_request_target` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) and the [`workflow_run` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflow-run) for more information on these triggers, how to use them, and the risks associated with them. -For additional explanation, examples, and guidance on the risks of untrusted code checkout, see [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) from GitHub Security Lab and the [Dangerous Workflow check documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) from OpenSSF Scorecard. +For additional explanation, examples, and guidance on the risks of untrusted code checkout, see [Keeping your {% data variables.product.prodname_actions %} and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) from {% data variables.product.prodname_security %} and the [Dangerous Workflow check documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) from OpenSSF Scorecard. ## Good practices for mitigating untrusted code checkout risks From 454725db0d8369a9599ae3cde41a81f037a0c134 Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Fri, 12 Sep 2025 09:32:32 -0700 Subject: [PATCH 12/39] Update content/actions/reference/security/secure-use.md --- content/actions/reference/security/secure-use.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/actions/reference/security/secure-use.md b/content/actions/reference/security/secure-use.md index d8ee03b628c8..225e11a8518b 100644 --- a/content/actions/reference/security/secure-use.md +++ b/content/actions/reference/security/secure-use.md @@ -121,7 +121,7 @@ There are a number of different approaches available to help you mitigate the ri ### Avoid potentially dangerous workflow triggers -Avoid using the `pull_request_target` workflow trigger if not necessary. Prefer using `workflow_run` for privilege separation between workflows as described in [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests). Only use these workflow triggers when the workflow actually needs the privileged context. +Avoid using the `pull_request_target` workflow trigger if not necessary. Prefer using `workflow_run` for privilege separation between workflows as described in [Keeping your {% data variables.product.prodname_actions %} and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests). Only use these workflow triggers when the workflow actually needs the privileged context. ### Do not use the `pull_request_target` and `workflow_run` workflow triggers with untrusted content From 135ce49534187b073332e24427b9c6caa76ec074 Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Fri, 12 Sep 2025 09:34:18 -0700 Subject: [PATCH 13/39] Update content/actions/reference/security/secure-use.md --- content/actions/reference/security/secure-use.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/actions/reference/security/secure-use.md b/content/actions/reference/security/secure-use.md index 225e11a8518b..e7f5f47b133b 100644 --- a/content/actions/reference/security/secure-use.md +++ b/content/actions/reference/security/secure-use.md @@ -129,7 +129,7 @@ Avoid using the `pull_request_target` and `workflow_run` workflow triggers with ### Use CodeQL to detect potentially vulnerable workflows -[CodeQL](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql) can scan and detect potentially vulnerable GitHub Actions workflows. [Configure the default setup for CodeQL](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning) for the repository and ensure that GitHub Actions scanning is enabled. +[CodeQL](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql) can scan and detect potentially vulnerable {% data variables.product.prodname_actions %} workflows. [Configure the default setup for CodeQL](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning) for the repository and ensure that {% data variables.product.prodname_actions %} scanning is enabled. ### Use OpenSSF Scorecards to detect potentially vulnerable workflows From 1d8099b846f43f1a4148cb08e0cbfe663cbc6162 Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Fri, 12 Sep 2025 09:35:13 -0700 Subject: [PATCH 14/39] Update content/actions/reference/security/secure-use.md --- content/actions/reference/security/secure-use.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/actions/reference/security/secure-use.md b/content/actions/reference/security/secure-use.md index e7f5f47b133b..4a1044b81c25 100644 --- a/content/actions/reference/security/secure-use.md +++ b/content/actions/reference/security/secure-use.md @@ -133,7 +133,7 @@ Avoid using the `pull_request_target` and `workflow_run` workflow triggers with ### Use OpenSSF Scorecards to detect potentially vulnerable workflows -[OpenSSF Scorecards](#use-openssf-scorecards-to-detect-potentially-vulnerable-workflows) can help you identify potentially vulnerable workflows, along with other security risks when using GitHub Actions. +[OpenSSF Scorecards](#use-openssf-scorecards-to-detect-potentially-vulnerable-workflows) can help you identify potentially vulnerable workflows, along with other security risks when using {% data variables.product.prodname_actions %}. ## Managing permissions for {% data variables.product.prodname_actions %} settings in your organization From 8989d458a763a4961b137ff7ca3a696a2b2b0b55 Mon Sep 17 00:00:00 2001 From: Will Slattum Date: Fri, 12 Sep 2025 13:07:42 -0400 Subject: [PATCH 15/39] docs: change product reference Reference what is being created with the product rather than the product itself Co-authored-by: Sharra-writes --- content/actions/reference/security/secure-use.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/actions/reference/security/secure-use.md b/content/actions/reference/security/secure-use.md index 4a1044b81c25..6be023585df8 100644 --- a/content/actions/reference/security/secure-use.md +++ b/content/actions/reference/security/secure-use.md @@ -117,7 +117,7 @@ For additional explanation, examples, and guidance on the risks of untrusted cod ## Good practices for mitigating untrusted code checkout risks -There are a number of different approaches available to help you mitigate the risk of untrusted code checkout in Actions workflows: +There are a number of different approaches available to help you mitigate the risk of untrusted code checkout in an action workflow: ### Avoid potentially dangerous workflow triggers From 2b8e32b36d901b7e353b30cd534396795ed719ee Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Fri, 12 Sep 2025 10:46:36 -0700 Subject: [PATCH 16/39] Update content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md --- .../security-hardening-for-github-actions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md b/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md index 375c71728d29..264e89fcd734 100644 --- a/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md +++ b/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md @@ -158,7 +158,7 @@ Similar to script injection attacks, untrusted pull request content that automat Review the [`pull_request_target` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) and the [`workflow_run` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflow-run) for more information on these triggers, how to use them, and the risks associated with them. -For additional explanation, examples, and guidance on the risks of untrusted code checkout, see [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) from GitHub Security Lab and the [Dangerous Workflow check documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) from OpenSSF Scorecard. +For additional explanation, examples, and guidance on the risks of untrusted code checkout, see [Keeping your {% data variables.product.prodname_actions %} and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) from GitHub Security Lab and the [Dangerous Workflow check documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) from OpenSSF Scorecard. ## Good practices for mitigating untrusted code checkout risks From f3d1e1ae879f7e1e175cc8b7bf6ed402e6d7834b Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Fri, 12 Sep 2025 10:50:42 -0700 Subject: [PATCH 17/39] Update content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md --- .../security-hardening-for-github-actions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md b/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md index 264e89fcd734..dde42f76fabf 100644 --- a/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md +++ b/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md @@ -166,7 +166,7 @@ There are a number of different approaches available to help you mitigate the ri ### Avoid potentially dangerous workflow triggers -Avoid using the `pull_request_target` workflow trigger if not necessary. Prefer using `workflow_run` for privilege separation between workflows as described in [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests). Only use these workflow triggers when the workflow actually needs the privileged context. +Avoid using the `pull_request_target` workflow trigger if not necessary. Prefer using `workflow_run` for privilege separation between workflows as described in [Keeping your {% data variables.product.prodname_actions %} and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests). Only use these workflow triggers when the workflow actually needs the privileged context. ### Do not use the `pull_request_target` and `workflow_run` workflow triggers with untrusted content From d77656fce67b4deb4be1d2dbd024f7edcb1f94d1 Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Fri, 12 Sep 2025 11:07:02 -0700 Subject: [PATCH 18/39] Update content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md --- .../security-hardening-for-github-actions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md b/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md index dde42f76fabf..3c71f65330bd 100644 --- a/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md +++ b/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md @@ -174,7 +174,7 @@ Avoid using the `pull_request_target` and `workflow_run` workflow triggers with ### Use CodeQL to detect potentially vulnerable workflows -[CodeQL](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql) can scan and detect potentially vulnerable GitHub Actions workflows. [Configure the default setup for CodeQL](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning) for the repository and ensure that GitHub Actions scanning is enabled. +[CodeQL](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql) can scan and detect potentially vulnerable {% data variables.product.prodname_actions %} workflows. [Configure the default setup for CodeQL](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning) for the repository and ensure that {% data variables.product.prodname_actions %} scanning is enabled. ### Use OpenSSF Scorecards to detect potentially vulnerable workflows From 07e97d8e6692cac7a31c2cdde1157ccf9fb6bd68 Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Fri, 12 Sep 2025 11:07:55 -0700 Subject: [PATCH 19/39] Update content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md --- .../security-hardening-for-github-actions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md b/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md index 3c71f65330bd..9c3a1bbfa386 100644 --- a/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md +++ b/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md @@ -178,7 +178,7 @@ Avoid using the `pull_request_target` and `workflow_run` workflow triggers with ### Use OpenSSF Scorecards to detect potentially vulnerable workflows -[OpenSSF Scorecards](#use-openssf-scorecards-to-detect-potentially-vulnerable-workflows) can help you identify potentially vulnerable workflows, along with other security risks when using GitHub Actions. +[OpenSSF Scorecards](#use-openssf-scorecards-to-detect-potentially-vulnerable-workflows) can help you identify potentially vulnerable workflows, along with other security risks when using {% data variables.product.prodname_actions %}. ## Managing permissions for {% data variables.product.prodname_actions %} settings in your organization From 5301aa935265e92166de7e202880ea9a0064c08f Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Fri, 12 Sep 2025 11:10:17 -0700 Subject: [PATCH 20/39] Update data/reusables/actions/pull-request-target-permissions-warning.md --- .../actions/pull-request-target-permissions-warning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/reusables/actions/pull-request-target-permissions-warning.md b/data/reusables/actions/pull-request-target-permissions-warning.md index 774ed93b95c9..6d2951019a9e 100644 --- a/data/reusables/actions/pull-request-target-permissions-warning.md +++ b/data/reusables/actions/pull-request-target-permissions-warning.md @@ -1,2 +1,2 @@ > [!WARNING] -> For workflows that are triggered by the `pull_request_target` event, the `GITHUB_TOKEN` may be granted read/write repository permission (unless the `permissions` key is explicitly specified in the workflow or repository/organization default permission are set to Read-Only) and the workflow can access referenced secrets, even when it is triggered from a fork. Although the workflow runs in the context of the base of the pull request, you should be cautious if checking out untrusted code from the pull request with this event. Make sure that you do not build, or run untrusted code from the pull request. When `pull_request_target` is triggered against the main branch it shares the same cache as the other privileged workflows running in the context of the main branch. Running untrusted code on this trigger may lead to cache poisoning. For more information, see [Understanding the risks of untrusted code checkout](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risks-of-untrusted-code-checkout) in the Security Hardening for GitHub Actions documentation and [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests) on the GitHub Security Lab website. +> For workflows that are triggered by the `pull_request_target` event, the `GITHUB_TOKEN` may be granted read/write repository permission (unless the `permissions` key is explicitly specified in the workflow or repository/organization default permission are set to Read-Only) and the workflow can access referenced secrets, even when it is triggered from a fork. Although the workflow runs in the context of the base of the pull request, you should be cautious if checking out untrusted code from the pull request with this event. Make sure that you do not build, or run untrusted code from the pull request. When `pull_request_target` is triggered against the main branch it shares the same cache as the other privileged workflows running in the context of the main branch. Running untrusted code on this trigger may lead to cache poisoning. For more information, see [Understanding the risks of untrusted code checkout](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risks-of-untrusted-code-checkout) in the Security Hardening for {% data variables.product.prodname_actions %} documentation and [Keeping your {% data variables.product.prodname_actions %} and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests) on the GitHub Security Lab website. From 3253a3b061d182805d4d291c50c9d2b6bdd5050c Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Fri, 12 Sep 2025 11:11:52 -0700 Subject: [PATCH 21/39] Update data/reusables/actions/workflow-run-permissions-warning.md --- data/reusables/actions/workflow-run-permissions-warning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/reusables/actions/workflow-run-permissions-warning.md b/data/reusables/actions/workflow-run-permissions-warning.md index a2822d8544bf..683d7ed431b0 100644 --- a/data/reusables/actions/workflow-run-permissions-warning.md +++ b/data/reusables/actions/workflow-run-permissions-warning.md @@ -1,2 +1,2 @@ > [!WARNING] -> Workflows triggered by the `workflow_run` event are privileged (i.e. they share the same cache of the main branch with other privileged workflow triggers, may have repository write access and access to referenced secrets). You should make sure that you do not check out, build, or run untrusted code from the pull request or other untrusted sources with this event. The workflow shares the same cache as the other privileged workflows running in the context of the main branch. Running untrusted code on this trigger may lead to cache poisoning. For more information, see [Understanding the risks of untrusted code checkout](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risks-of-untrusted-code-checkout) in the Security Hardening for GitHub Actions documentation and [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests) on the GitHub Security Lab website. +> Workflows triggered by the `workflow_run` event are privileged (i.e. they share the same cache of the main branch with other privileged workflow triggers, may have repository write access and access to referenced secrets). You should make sure that you do not check out, build, or run untrusted code from the pull request or other untrusted sources with this event. The workflow shares the same cache as the other privileged workflows running in the context of the main branch. Running untrusted code on this trigger may lead to cache poisoning. For more information, see [Understanding the risks of untrusted code checkout](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risks-of-untrusted-code-checkout) in the Security Hardening for {% data variables.product.prodname_actions %} documentation and [Keeping your {% data variables.product.prodname_actions %} and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests) on the GitHub Security Lab website. From 90927fe4828a51818a3db238bcab15cce2a21267 Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Fri, 12 Sep 2025 11:15:14 -0700 Subject: [PATCH 22/39] Update content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md --- .../security-hardening-for-github-actions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md b/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md index 9c3a1bbfa386..db672ec2b837 100644 --- a/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md +++ b/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md @@ -158,7 +158,7 @@ Similar to script injection attacks, untrusted pull request content that automat Review the [`pull_request_target` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) and the [`workflow_run` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflow-run) for more information on these triggers, how to use them, and the risks associated with them. -For additional explanation, examples, and guidance on the risks of untrusted code checkout, see [Keeping your {% data variables.product.prodname_actions %} and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) from GitHub Security Lab and the [Dangerous Workflow check documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) from OpenSSF Scorecard. +For additional explanation, examples, and guidance on the risks of untrusted code checkout, see [Keeping your {% data variables.product.prodname_actions %} and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) from {% data variables.product.prodname_security %} and the [Dangerous Workflow check documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) from OpenSSF Scorecard. ## Good practices for mitigating untrusted code checkout risks From 833242ab8d4870886bb67b4e763603c6d9c87094 Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Fri, 12 Sep 2025 11:17:54 -0700 Subject: [PATCH 23/39] Update data/reusables/actions/pull-request-target-permissions-warning.md --- .../actions/pull-request-target-permissions-warning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/reusables/actions/pull-request-target-permissions-warning.md b/data/reusables/actions/pull-request-target-permissions-warning.md index 6d2951019a9e..6b4109000324 100644 --- a/data/reusables/actions/pull-request-target-permissions-warning.md +++ b/data/reusables/actions/pull-request-target-permissions-warning.md @@ -1,2 +1,2 @@ > [!WARNING] -> For workflows that are triggered by the `pull_request_target` event, the `GITHUB_TOKEN` may be granted read/write repository permission (unless the `permissions` key is explicitly specified in the workflow or repository/organization default permission are set to Read-Only) and the workflow can access referenced secrets, even when it is triggered from a fork. Although the workflow runs in the context of the base of the pull request, you should be cautious if checking out untrusted code from the pull request with this event. Make sure that you do not build, or run untrusted code from the pull request. When `pull_request_target` is triggered against the main branch it shares the same cache as the other privileged workflows running in the context of the main branch. Running untrusted code on this trigger may lead to cache poisoning. For more information, see [Understanding the risks of untrusted code checkout](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risks-of-untrusted-code-checkout) in the Security Hardening for {% data variables.product.prodname_actions %} documentation and [Keeping your {% data variables.product.prodname_actions %} and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests) on the GitHub Security Lab website. +> For workflows that are triggered by the `pull_request_target` event, the `GITHUB_TOKEN` may be granted read/write repository permission (unless the `permissions` key is explicitly specified in the workflow or repository/organization default permission are set to Read-Only) and the workflow can access referenced secrets, even when it is triggered from a fork. Although the workflow runs in the context of the base of the pull request, you should be cautious if checking out untrusted code from the pull request with this event. Make sure that you do not build, or run untrusted code from the pull request. When `pull_request_target` is triggered against the main branch it shares the same cache as the other privileged workflows running in the context of the main branch. Running untrusted code on this trigger may lead to cache poisoning. For more information, see [Understanding the risks of untrusted code checkout](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risks-of-untrusted-code-checkout) in the Security Hardening for {% data variables.product.prodname_actions %} documentation and [Keeping your {% data variables.product.prodname_actions %} and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests) on the {% data variables.product.prodname_security %} website. From ba5b0c4af171ce5262970b903b8e7d4eb48ce977 Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Fri, 12 Sep 2025 11:18:50 -0700 Subject: [PATCH 24/39] Update data/reusables/actions/workflow-run-permissions-warning.md --- data/reusables/actions/workflow-run-permissions-warning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/reusables/actions/workflow-run-permissions-warning.md b/data/reusables/actions/workflow-run-permissions-warning.md index 683d7ed431b0..b7a35da1497a 100644 --- a/data/reusables/actions/workflow-run-permissions-warning.md +++ b/data/reusables/actions/workflow-run-permissions-warning.md @@ -1,2 +1,2 @@ > [!WARNING] -> Workflows triggered by the `workflow_run` event are privileged (i.e. they share the same cache of the main branch with other privileged workflow triggers, may have repository write access and access to referenced secrets). You should make sure that you do not check out, build, or run untrusted code from the pull request or other untrusted sources with this event. The workflow shares the same cache as the other privileged workflows running in the context of the main branch. Running untrusted code on this trigger may lead to cache poisoning. For more information, see [Understanding the risks of untrusted code checkout](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risks-of-untrusted-code-checkout) in the Security Hardening for {% data variables.product.prodname_actions %} documentation and [Keeping your {% data variables.product.prodname_actions %} and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests) on the GitHub Security Lab website. +> Workflows triggered by the `workflow_run` event are privileged (i.e. they share the same cache of the main branch with other privileged workflow triggers, may have repository write access and access to referenced secrets). You should make sure that you do not check out, build, or run untrusted code from the pull request or other untrusted sources with this event. The workflow shares the same cache as the other privileged workflows running in the context of the main branch. Running untrusted code on this trigger may lead to cache poisoning. For more information, see [Understanding the risks of untrusted code checkout](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risks-of-untrusted-code-checkout) in the Security Hardening for {% data variables.product.prodname_actions %} documentation and [Keeping your {% data variables.product.prodname_actions %} and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests) on the {% data variables.product.prodname_security %} website. From 416752337c9b21f459f8f7aeb4381c23bc19d3bf Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Mon, 15 Sep 2025 14:01:13 -0700 Subject: [PATCH 25/39] Update content/actions/reference/security/secure-use.md --- content/actions/reference/security/secure-use.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/actions/reference/security/secure-use.md b/content/actions/reference/security/secure-use.md index 6be023585df8..a714d3a06079 100644 --- a/content/actions/reference/security/secure-use.md +++ b/content/actions/reference/security/secure-use.md @@ -109,7 +109,7 @@ To help mitigate the risk of an exposed token, consider restricting the assigned ## Understanding the risks of untrusted code checkout -Similar to script injection attacks, untrusted pull request content that automatically triggers Actions processing can also pose a security risk. The `pull_request_target` and `workflow_run` workflow triggers, when used with the checkout of an untrusted pull request, expose the repository to security compromises. These workflows are privileged (i.e. they share the same cache of the main branch with other privileged workflow triggers, may have repository write access and access to referenced secrets), which can be exploited to take over a repository. +Similar to script injection attacks, untrusted pull request content that automatically triggers actions processing can also pose a security risk. The `pull_request_target` and `workflow_run` workflow triggers, when used with the checkout of an untrusted pull request, expose the repository to security compromises. These workflows are privileged (i.e. they share the same cache of the main branch with other privileged workflow triggers, may have repository write access and access to referenced secrets), which can be exploited to take over a repository. Review the [`pull_request_target` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) and the [`workflow_run` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflow-run) for more information on these triggers, how to use them, and the risks associated with them. From 50618ffd576555e9f37f400755388a6df48fe5bc Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Mon, 15 Sep 2025 14:02:39 -0700 Subject: [PATCH 26/39] Update content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md --- .../security-hardening-for-github-actions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md b/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md index db672ec2b837..04b5409b848d 100644 --- a/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md +++ b/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md @@ -154,7 +154,7 @@ To help mitigate the risk of an exposed token, consider restricting the assigned ## Understanding the risks of untrusted code checkout -Similar to script injection attacks, untrusted pull request content that automatically triggers Actions processing can also pose a security risk. The `pull_request_target` and `workflow_run` workflow triggers, when used with the checkout of an untrusted pull request, expose the repository to security compromises. These workflows are privileged (i.e. they share the same cache of the main branch with other privileged workflow triggers, may have repository write access and access to referenced secrets), which can be exploited to take over a repository. +Similar to script injection attacks, untrusted pull request content that automatically triggers actions processing can also pose a security risk. The `pull_request_target` and `workflow_run` workflow triggers, when used with the checkout of an untrusted pull request, expose the repository to security compromises. These workflows are privileged (i.e. they share the same cache of the main branch with other privileged workflow triggers, may have repository write access and access to referenced secrets), which can be exploited to take over a repository. Review the [`pull_request_target` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) and the [`workflow_run` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflow-run) for more information on these triggers, how to use them, and the risks associated with them. From 19e739bb7bb7cc59ef55bc6c02deba76d23b8268 Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Mon, 15 Sep 2025 14:33:13 -0700 Subject: [PATCH 27/39] Update content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md --- .../security-hardening-for-github-actions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md b/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md index 04b5409b848d..4c09dfebe7df 100644 --- a/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md +++ b/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md @@ -162,7 +162,7 @@ For additional explanation, examples, and guidance on the risks of untrusted cod ## Good practices for mitigating untrusted code checkout risks -There are a number of different approaches available to help you mitigate the risk of untrusted code checkout in Actions workflows: +There are a number of different approaches available to help you mitigate the risk of untrusted code checkout in actions workflows: ### Avoid potentially dangerous workflow triggers From a13ba38709b5df16671e158ac1ae7e0ca4c83b1b Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Mon, 15 Sep 2025 15:27:06 -0700 Subject: [PATCH 28/39] Update content/actions/reference/security/secure-use.md --- content/actions/reference/security/secure-use.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/actions/reference/security/secure-use.md b/content/actions/reference/security/secure-use.md index a714d3a06079..1b065602e86a 100644 --- a/content/actions/reference/security/secure-use.md +++ b/content/actions/reference/security/secure-use.md @@ -127,7 +127,7 @@ Avoid using the `pull_request_target` workflow trigger if not necessary. Prefer Avoid using the `pull_request_target` and `workflow_run` workflow triggers with untrusted pull requests or code content. Workflows that use these triggers must not explicitly checkout untrusted code, including from pull request forks or from repositories that are not under your control. Workflows triggered on `workflow_run` should treat artifacts uploaded from other workflows with caution (i.e. as untrusted). -### Use CodeQL to detect potentially vulnerable workflows +### Use {% data variables.product.prodname_codeql %} to detect potentially vulnerable workflows [CodeQL](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql) can scan and detect potentially vulnerable {% data variables.product.prodname_actions %} workflows. [Configure the default setup for CodeQL](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning) for the repository and ensure that {% data variables.product.prodname_actions %} scanning is enabled. From 1cc35aac8de8149778423f92f42ca63a013de744 Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Mon, 15 Sep 2025 15:29:37 -0700 Subject: [PATCH 29/39] Update content/actions/reference/security/secure-use.md --- content/actions/reference/security/secure-use.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/actions/reference/security/secure-use.md b/content/actions/reference/security/secure-use.md index 1b065602e86a..b0ed95c8732e 100644 --- a/content/actions/reference/security/secure-use.md +++ b/content/actions/reference/security/secure-use.md @@ -129,7 +129,7 @@ Avoid using the `pull_request_target` and `workflow_run` workflow triggers with ### Use {% data variables.product.prodname_codeql %} to detect potentially vulnerable workflows -[CodeQL](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql) can scan and detect potentially vulnerable {% data variables.product.prodname_actions %} workflows. [Configure the default setup for CodeQL](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning) for the repository and ensure that {% data variables.product.prodname_actions %} scanning is enabled. +[{% data variables.product.prodname_codeql %}](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql) can scan and detect potentially vulnerable {% data variables.product.prodname_actions %} workflows. [Configure the default setup for {% data variables.product.prodname_codeql %}](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning) for the repository and ensure that {% data variables.product.prodname_actions %} scanning is enabled. ### Use OpenSSF Scorecards to detect potentially vulnerable workflows From 5d3f38c1638dc0d89f233796362f726b552f7edc Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Tue, 16 Sep 2025 20:56:38 -0700 Subject: [PATCH 30/39] Apply suggestions from code review --- .../security-hardening-for-github-actions.md | 26 +------------------ 1 file changed, 1 insertion(+), 25 deletions(-) diff --git a/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md b/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md index 4c09dfebe7df..bb23081c9735 100644 --- a/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md +++ b/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md @@ -154,31 +154,7 @@ To help mitigate the risk of an exposed token, consider restricting the assigned ## Understanding the risks of untrusted code checkout -Similar to script injection attacks, untrusted pull request content that automatically triggers actions processing can also pose a security risk. The `pull_request_target` and `workflow_run` workflow triggers, when used with the checkout of an untrusted pull request, expose the repository to security compromises. These workflows are privileged (i.e. they share the same cache of the main branch with other privileged workflow triggers, may have repository write access and access to referenced secrets), which can be exploited to take over a repository. - -Review the [`pull_request_target` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) and the [`workflow_run` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflow-run) for more information on these triggers, how to use them, and the risks associated with them. - -For additional explanation, examples, and guidance on the risks of untrusted code checkout, see [Keeping your {% data variables.product.prodname_actions %} and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) from {% data variables.product.prodname_security %} and the [Dangerous Workflow check documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) from OpenSSF Scorecard. - -## Good practices for mitigating untrusted code checkout risks - -There are a number of different approaches available to help you mitigate the risk of untrusted code checkout in actions workflows: - -### Avoid potentially dangerous workflow triggers - -Avoid using the `pull_request_target` workflow trigger if not necessary. Prefer using `workflow_run` for privilege separation between workflows as described in [Keeping your {% data variables.product.prodname_actions %} and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests). Only use these workflow triggers when the workflow actually needs the privileged context. - -### Do not use the `pull_request_target` and `workflow_run` workflow triggers with untrusted content - -Avoid using the `pull_request_target` and `workflow_run` workflow triggers with untrusted pull requests or code content. Workflows that use these triggers must not explicitly checkout untrusted code, including from pull request forks or from repositories that are not under your control. Workflows triggered on `workflow_run` should treat artifacts uploaded from other workflows with caution (i.e. as untrusted). - -### Use CodeQL to detect potentially vulnerable workflows - -[CodeQL](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql) can scan and detect potentially vulnerable {% data variables.product.prodname_actions %} workflows. [Configure the default setup for CodeQL](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning) for the repository and ensure that {% data variables.product.prodname_actions %} scanning is enabled. - -### Use OpenSSF Scorecards to detect potentially vulnerable workflows - -[OpenSSF Scorecards](#use-openssf-scorecards-to-detect-potentially-vulnerable-workflows) can help you identify potentially vulnerable workflows, along with other security risks when using {% data variables.product.prodname_actions %}. +Untrusted pull request content that automatically triggers actions processing can also pose a security risk. For more information, see [AUTOTITLE](/actions/reference/security/secure-use). ## Managing permissions for {% data variables.product.prodname_actions %} settings in your organization From efa11151a7eb3bdb41df6efbc51db63db1c6b56e Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Tue, 16 Sep 2025 21:14:37 -0700 Subject: [PATCH 31/39] Apply suggestions from code review Rearranging some things to be more efficient, and paring down some of the language where possible. --- .../actions/reference/security/secure-use.md | 20 ++++++------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/content/actions/reference/security/secure-use.md b/content/actions/reference/security/secure-use.md index b0ed95c8732e..8e49673accfc 100644 --- a/content/actions/reference/security/secure-use.md +++ b/content/actions/reference/security/secure-use.md @@ -115,29 +115,21 @@ Review the [`pull_request_target` trigger documentation](/actions/writing-workfl For additional explanation, examples, and guidance on the risks of untrusted code checkout, see [Keeping your {% data variables.product.prodname_actions %} and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) from {% data variables.product.prodname_security %} and the [Dangerous Workflow check documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) from OpenSSF Scorecard. -## Good practices for mitigating untrusted code checkout risks +### Good practices There are a number of different approaches available to help you mitigate the risk of untrusted code checkout in an action workflow: -### Avoid potentially dangerous workflow triggers +* Avoid using the `pull_request_target` workflow trigger if not necessary. Prefer using `workflow_run` for privilege separation between workflows as described in [Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests). Only use these workflow triggers when the workflow actually needs the privileged context. -Avoid using the `pull_request_target` workflow trigger if not necessary. Prefer using `workflow_run` for privilege separation between workflows as described in [Keeping your {% data variables.product.prodname_actions %} and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests). Only use these workflow triggers when the workflow actually needs the privileged context. +* Avoid using the `pull_request_target` and `workflow_run` workflow triggers with untrusted pull requests or code content. Workflows that use these triggers must not explicitly checkout untrusted code, including from pull request forks or from repositories that are not under your control. Workflows triggered on `workflow_run` should treat artifacts uploaded from other workflows with caution. -### Do not use the `pull_request_target` and `workflow_run` workflow triggers with untrusted content +* [{% data variables.product.prodname_codeql %}](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql) can scan and detect potentially vulnerable {% data variables.product.prodname_actions %} workflows. [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning) for the repository and ensure that {% data variables.product.prodname_actions %} scanning is enabled. -Avoid using the `pull_request_target` and `workflow_run` workflow triggers with untrusted pull requests or code content. Workflows that use these triggers must not explicitly checkout untrusted code, including from pull request forks or from repositories that are not under your control. Workflows triggered on `workflow_run` should treat artifacts uploaded from other workflows with caution (i.e. as untrusted). - -### Use {% data variables.product.prodname_codeql %} to detect potentially vulnerable workflows - -[{% data variables.product.prodname_codeql %}](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql) can scan and detect potentially vulnerable {% data variables.product.prodname_actions %} workflows. [Configure the default setup for {% data variables.product.prodname_codeql %}](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning) for the repository and ensure that {% data variables.product.prodname_actions %} scanning is enabled. - -### Use OpenSSF Scorecards to detect potentially vulnerable workflows - -[OpenSSF Scorecards](#use-openssf-scorecards-to-detect-potentially-vulnerable-workflows) can help you identify potentially vulnerable workflows, along with other security risks when using {% data variables.product.prodname_actions %}. +* [OpenSSF Scorecards](#use-openssf-scorecards-to-detect-potentially-vulnerable-workflows) can help you identify potentially vulnerable workflows, along with other security risks when using {% data variables.product.prodname_actions %}. ## Managing permissions for {% data variables.product.prodname_actions %} settings in your organization -You can practice the principle of least privilege for your organization's CI/CD pipeline with {% data variables.product.prodname_actions %} by administering custom organization roles. A custom organization role is a way to grant an individual or team in your organization the ability to control certain subsets of settings without granting full administrative control of the organization and its repositories. +You can grant an individual or team in your organization the ability to control certain subsets of settings without granting full administrative control of the organization and its repositories. {% data reusables.actions.org-roles-for-gh-actions %} From 4794b5584d7991f131d442840400e41345b8e0a2 Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Wed, 17 Sep 2025 15:57:01 -0700 Subject: [PATCH 32/39] Apply suggestions from code review --- content/actions/reference/security/secure-use.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/actions/reference/security/secure-use.md b/content/actions/reference/security/secure-use.md index 8e49673accfc..bafd0b3f6b06 100644 --- a/content/actions/reference/security/secure-use.md +++ b/content/actions/reference/security/secure-use.md @@ -113,13 +113,13 @@ Similar to script injection attacks, untrusted pull request content that automat Review the [`pull_request_target` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) and the [`workflow_run` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflow-run) for more information on these triggers, how to use them, and the risks associated with them. -For additional explanation, examples, and guidance on the risks of untrusted code checkout, see [Keeping your {% data variables.product.prodname_actions %} and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) from {% data variables.product.prodname_security %} and the [Dangerous Workflow check documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) from OpenSSF Scorecard. +For additional explanation, examples, and guidance on the risks of untrusted code checkout, see [Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) from {% data variables.product.prodname_security %} and the [Dangerous Workflow check documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) from OpenSSF Scorecard. ### Good practices There are a number of different approaches available to help you mitigate the risk of untrusted code checkout in an action workflow: -* Avoid using the `pull_request_target` workflow trigger if not necessary. Prefer using `workflow_run` for privilege separation between workflows as described in [Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests). Only use these workflow triggers when the workflow actually needs the privileged context. +* Avoid using the `pull_request_target` workflow trigger if it's not necessary. For privilege separation between workflows, `workflow_run` is a better trigger. Only use these workflow triggers when the workflow actually needs the privileged context. * Avoid using the `pull_request_target` and `workflow_run` workflow triggers with untrusted pull requests or code content. Workflows that use these triggers must not explicitly checkout untrusted code, including from pull request forks or from repositories that are not under your control. Workflows triggered on `workflow_run` should treat artifacts uploaded from other workflows with caution. From 824f53538ea4beb7c844a4b512351f8445fd5342 Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Wed, 17 Sep 2025 15:58:18 -0700 Subject: [PATCH 33/39] Update content/actions/reference/security/secure-use.md --- content/actions/reference/security/secure-use.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/actions/reference/security/secure-use.md b/content/actions/reference/security/secure-use.md index bafd0b3f6b06..da807f00f3dc 100644 --- a/content/actions/reference/security/secure-use.md +++ b/content/actions/reference/security/secure-use.md @@ -107,7 +107,7 @@ To help mitigate the risk of an exposed token, consider restricting the assigned {% ifversion custom-org-roles %} -## Understanding the risks of untrusted code checkout +## Mitigating the risks of untrusted code checkout Similar to script injection attacks, untrusted pull request content that automatically triggers actions processing can also pose a security risk. The `pull_request_target` and `workflow_run` workflow triggers, when used with the checkout of an untrusted pull request, expose the repository to security compromises. These workflows are privileged (i.e. they share the same cache of the main branch with other privileged workflow triggers, may have repository write access and access to referenced secrets), which can be exploited to take over a repository. From 50f9ae8b763b6e8364d078623ddad09ec53a9058 Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Wed, 17 Sep 2025 20:10:52 -0700 Subject: [PATCH 34/39] Apply suggestions from code review --- content/actions/reference/security/secure-use.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/actions/reference/security/secure-use.md b/content/actions/reference/security/secure-use.md index da807f00f3dc..5973a8be7655 100644 --- a/content/actions/reference/security/secure-use.md +++ b/content/actions/reference/security/secure-use.md @@ -109,9 +109,9 @@ To help mitigate the risk of an exposed token, consider restricting the assigned ## Mitigating the risks of untrusted code checkout -Similar to script injection attacks, untrusted pull request content that automatically triggers actions processing can also pose a security risk. The `pull_request_target` and `workflow_run` workflow triggers, when used with the checkout of an untrusted pull request, expose the repository to security compromises. These workflows are privileged (i.e. they share the same cache of the main branch with other privileged workflow triggers, may have repository write access and access to referenced secrets), which can be exploited to take over a repository. +Similar to script injection attacks, untrusted pull request content that automatically triggers actions processing can also pose a security risk. The `pull_request_target` and `workflow_run` workflow triggers, when used with the checkout of an untrusted pull request, expose the repository to security compromises. These workflows are privileged, which means they share the same cache of the main branch with other privileged workflow triggers, and may have repository write access and access to referenced secrets. These vulnerabilities can be exploited to take over a repository. -Review the [`pull_request_target` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) and the [`workflow_run` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflow-run) for more information on these triggers, how to use them, and the risks associated with them. +For more information on these triggers, how to use them, and the associated risks, see [AUTOTITLE](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) and the [AUTOTITLE](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflow-run). For additional explanation, examples, and guidance on the risks of untrusted code checkout, see [Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) from {% data variables.product.prodname_security %} and the [Dangerous Workflow check documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) from OpenSSF Scorecard. From 432e516c3b04ccf0dd17c1e6828b86dcc608bf7a Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Thu, 18 Sep 2025 08:52:35 -0700 Subject: [PATCH 35/39] Apply suggestions from code review Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com> --- content/actions/reference/security/secure-use.md | 11 +++++------ .../security-hardening-for-github-actions.md | 2 +- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/content/actions/reference/security/secure-use.md b/content/actions/reference/security/secure-use.md index 5973a8be7655..246b0279d8ec 100644 --- a/content/actions/reference/security/secure-use.md +++ b/content/actions/reference/security/secure-use.md @@ -111,21 +111,20 @@ To help mitigate the risk of an exposed token, consider restricting the assigned Similar to script injection attacks, untrusted pull request content that automatically triggers actions processing can also pose a security risk. The `pull_request_target` and `workflow_run` workflow triggers, when used with the checkout of an untrusted pull request, expose the repository to security compromises. These workflows are privileged, which means they share the same cache of the main branch with other privileged workflow triggers, and may have repository write access and access to referenced secrets. These vulnerabilities can be exploited to take over a repository. -For more information on these triggers, how to use them, and the associated risks, see [AUTOTITLE](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) and the [AUTOTITLE](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflow-run). +For more information on these triggers, how to use them, and the associated risks, see [AUTOTITLE](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) and [AUTOTITLE](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflow_run). -For additional explanation, examples, and guidance on the risks of untrusted code checkout, see [Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) from {% data variables.product.prodname_security %} and the [Dangerous Workflow check documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) from OpenSSF Scorecard. +For additional examples and guidance on the risks of untrusted code checkout, see [Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) from {% data variables.product.prodname_security %} and the [Dangerous-Workflow](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) documentation from OpenSSF Scorecard. ### Good practices -There are a number of different approaches available to help you mitigate the risk of untrusted code checkout in an action workflow: * Avoid using the `pull_request_target` workflow trigger if it's not necessary. For privilege separation between workflows, `workflow_run` is a better trigger. Only use these workflow triggers when the workflow actually needs the privileged context. -* Avoid using the `pull_request_target` and `workflow_run` workflow triggers with untrusted pull requests or code content. Workflows that use these triggers must not explicitly checkout untrusted code, including from pull request forks or from repositories that are not under your control. Workflows triggered on `workflow_run` should treat artifacts uploaded from other workflows with caution. +* Avoid using the `pull_request_target` and `workflow_run` workflow triggers with untrusted pull requests or code content. Workflows that use these triggers must not explicitly check out untrusted code, including from pull request forks or from repositories that are not under your control. Workflows triggered on `workflow_run` should treat artifacts uploaded from other workflows with caution. -* [{% data variables.product.prodname_codeql %}](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql) can scan and detect potentially vulnerable {% data variables.product.prodname_actions %} workflows. [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning) for the repository and ensure that {% data variables.product.prodname_actions %} scanning is enabled. +* {% data variables.product.prodname_codeql %} can scan and detect potentially vulnerable {% data variables.product.prodname_actions %} workflows. You can configure default setup for the repository, and ensure that {% data variables.product.prodname_actions %} scanning is enabled. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning). -* [OpenSSF Scorecards](#use-openssf-scorecards-to-detect-potentially-vulnerable-workflows) can help you identify potentially vulnerable workflows, along with other security risks when using {% data variables.product.prodname_actions %}. +* OpenSSF Scorecards can help you identify potentially vulnerable workflows, along with other security risks when using {% data variables.product.prodname_actions %}. See [Using OpenSSF Scorecards to secure workflow dependencies](#use-openssf-scorecards-to-detect-potentially-vulnerable-workflows) later in this article. ## Managing permissions for {% data variables.product.prodname_actions %} settings in your organization diff --git a/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md b/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md index bb23081c9735..7d05e46c1f73 100644 --- a/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md +++ b/content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md @@ -154,7 +154,7 @@ To help mitigate the risk of an exposed token, consider restricting the assigned ## Understanding the risks of untrusted code checkout -Untrusted pull request content that automatically triggers actions processing can also pose a security risk. For more information, see [AUTOTITLE](/actions/reference/security/secure-use). +Untrusted pull request content that automatically triggers actions processing can pose a security risk. For more information, see [AUTOTITLE](/enterprise-cloud@latest/actions/reference/security/secure-use#mitigating-the-risks-of-untrusted-code-checkout) in the {% data variables.product.prodname_ghe_cloud %} documentation. ## Managing permissions for {% data variables.product.prodname_actions %} settings in your organization From 0d1f3c6bd6d8b638e92de9635e7e224614b2d0ab Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Thu, 18 Sep 2025 14:07:03 -0700 Subject: [PATCH 36/39] Apply suggestions from code review --- content/actions/reference/security/secure-use.md | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/content/actions/reference/security/secure-use.md b/content/actions/reference/security/secure-use.md index 246b0279d8ec..03f5727de2f9 100644 --- a/content/actions/reference/security/secure-use.md +++ b/content/actions/reference/security/secure-use.md @@ -126,22 +126,8 @@ For additional examples and guidance on the risks of untrusted code checkout, se * OpenSSF Scorecards can help you identify potentially vulnerable workflows, along with other security risks when using {% data variables.product.prodname_actions %}. See [Using OpenSSF Scorecards to secure workflow dependencies](#use-openssf-scorecards-to-detect-potentially-vulnerable-workflows) later in this article. -## Managing permissions for {% data variables.product.prodname_actions %} settings in your organization - -You can grant an individual or team in your organization the ability to control certain subsets of settings without granting full administrative control of the organization and its repositories. - -{% data reusables.actions.org-roles-for-gh-actions %} - -For more information, see [AUTOTITLE](/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles). - {% endif %} -## Using OpenID Connect to access cloud resources - -{% data reusables.actions.about-oidc-short-overview %} - -{% data reusables.actions.oidc-custom-claims-aws-restriction %} - ## Using third-party actions The individual jobs in a workflow can interact with (and compromise) other jobs. For example, a job querying the environment variables used by a later job, writing files to a shared directory that a later job processes, or even more directly by interacting with the Docker socket and inspecting other running containers and executing commands in them. From da2130bf75d1ff7d3b3ea97dc2ca8a134f9f3b3d Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Fri, 19 Sep 2025 08:57:03 -0700 Subject: [PATCH 37/39] Apply suggestions from code review --- .../actions/pull-request-target-permissions-warning.md | 2 +- data/reusables/actions/workflow-run-permissions-warning.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/data/reusables/actions/pull-request-target-permissions-warning.md b/data/reusables/actions/pull-request-target-permissions-warning.md index 6b4109000324..dbb051021d60 100644 --- a/data/reusables/actions/pull-request-target-permissions-warning.md +++ b/data/reusables/actions/pull-request-target-permissions-warning.md @@ -1,2 +1,2 @@ > [!WARNING] -> For workflows that are triggered by the `pull_request_target` event, the `GITHUB_TOKEN` may be granted read/write repository permission (unless the `permissions` key is explicitly specified in the workflow or repository/organization default permission are set to Read-Only) and the workflow can access referenced secrets, even when it is triggered from a fork. Although the workflow runs in the context of the base of the pull request, you should be cautious if checking out untrusted code from the pull request with this event. Make sure that you do not build, or run untrusted code from the pull request. When `pull_request_target` is triggered against the main branch it shares the same cache as the other privileged workflows running in the context of the main branch. Running untrusted code on this trigger may lead to cache poisoning. For more information, see [Understanding the risks of untrusted code checkout](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risks-of-untrusted-code-checkout) in the Security Hardening for {% data variables.product.prodname_actions %} documentation and [Keeping your {% data variables.product.prodname_actions %} and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests) on the {% data variables.product.prodname_security %} website. +> Running untrusted code on the `pull_request_target` trigger may lead to security vulnerabilities. These vulnerabilities include cache poisoning and granting unintended access to write privileges or secrets. For more information, see [AUTOTITLE](/enterprise-cloud@latest/actions/reference/security/secure-use#mitigating-the-risks-of-untrusted-code-checkout) in the {% data variables.product.prodname_ghe_cloud %} documentation, and [Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests) on the {% data variables.product.prodname_security %} website. diff --git a/data/reusables/actions/workflow-run-permissions-warning.md b/data/reusables/actions/workflow-run-permissions-warning.md index b7a35da1497a..9033ce7bd308 100644 --- a/data/reusables/actions/workflow-run-permissions-warning.md +++ b/data/reusables/actions/workflow-run-permissions-warning.md @@ -1,2 +1,2 @@ > [!WARNING] -> Workflows triggered by the `workflow_run` event are privileged (i.e. they share the same cache of the main branch with other privileged workflow triggers, may have repository write access and access to referenced secrets). You should make sure that you do not check out, build, or run untrusted code from the pull request or other untrusted sources with this event. The workflow shares the same cache as the other privileged workflows running in the context of the main branch. Running untrusted code on this trigger may lead to cache poisoning. For more information, see [Understanding the risks of untrusted code checkout](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risks-of-untrusted-code-checkout) in the Security Hardening for {% data variables.product.prodname_actions %} documentation and [Keeping your {% data variables.product.prodname_actions %} and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests) on the {% data variables.product.prodname_security %} website. +> Running untrusted code on the `workflow_run` trigger may lead to security vulnerabilities. These vulnerabilities include cache poisoning and granting unintended access to write privileges or secrets. For more information, see [AUTOTITLE](/enterprise-cloud@latest/actions/reference/security/secure-use#mitigating-the-risks-of-untrusted-code-checkout) in the {% data variables.product.prodname_ghe_cloud %} documentation, and [Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests) on the {% data variables.product.prodname_security %} website. From 8b3853e9edfc74bbeb16ebfa4c9bc317a425fa3a Mon Sep 17 00:00:00 2001 From: Ben Ahmady <32935794+subatoi@users.noreply.github.com> Date: Fri, 19 Sep 2025 17:24:44 +0100 Subject: [PATCH 38/39] Update content/actions/reference/security/secure-use.md --- content/actions/reference/security/secure-use.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/actions/reference/security/secure-use.md b/content/actions/reference/security/secure-use.md index 03f5727de2f9..27433e88c141 100644 --- a/content/actions/reference/security/secure-use.md +++ b/content/actions/reference/security/secure-use.md @@ -124,7 +124,7 @@ For additional examples and guidance on the risks of untrusted code checkout, se * {% data variables.product.prodname_codeql %} can scan and detect potentially vulnerable {% data variables.product.prodname_actions %} workflows. You can configure default setup for the repository, and ensure that {% data variables.product.prodname_actions %} scanning is enabled. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning). -* OpenSSF Scorecards can help you identify potentially vulnerable workflows, along with other security risks when using {% data variables.product.prodname_actions %}. See [Using OpenSSF Scorecards to secure workflow dependencies](#use-openssf-scorecards-to-detect-potentially-vulnerable-workflows) later in this article. +* OpenSSF Scorecards can help you identify potentially vulnerable workflows, along with other security risks when using {% data variables.product.prodname_actions %}. See [Using OpenSSF Scorecards to secure workflow dependencies](#using-openssf-scorecards-to-detect-potentially-vulnerable-workflows) later in this article. {% endif %} From 270e3d3bf6cf48107cfd61f82df1dd9ce3ac1608 Mon Sep 17 00:00:00 2001 From: Ben Ahmady <32935794+subatoi@users.noreply.github.com> Date: Fri, 19 Sep 2025 17:30:00 +0100 Subject: [PATCH 39/39] Update content/actions/reference/security/secure-use.md --- content/actions/reference/security/secure-use.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/actions/reference/security/secure-use.md b/content/actions/reference/security/secure-use.md index 27433e88c141..b722d4b7b1ea 100644 --- a/content/actions/reference/security/secure-use.md +++ b/content/actions/reference/security/secure-use.md @@ -124,7 +124,7 @@ For additional examples and guidance on the risks of untrusted code checkout, se * {% data variables.product.prodname_codeql %} can scan and detect potentially vulnerable {% data variables.product.prodname_actions %} workflows. You can configure default setup for the repository, and ensure that {% data variables.product.prodname_actions %} scanning is enabled. For more information, see [AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning). -* OpenSSF Scorecards can help you identify potentially vulnerable workflows, along with other security risks when using {% data variables.product.prodname_actions %}. See [Using OpenSSF Scorecards to secure workflow dependencies](#using-openssf-scorecards-to-detect-potentially-vulnerable-workflows) later in this article. +* OpenSSF Scorecards can help you identify potentially vulnerable workflows, along with other security risks when using {% data variables.product.prodname_actions %}. See [Using OpenSSF Scorecards to secure workflow dependencies](#using-openssf-scorecards-to-secure-workflow-dependencies) later in this article. {% endif %}