Conversation
…ositories Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw/sessions/8a526311-3cd5-4a00-aa52-2ad925d5ccd7
pull_request_target event on public repositories
There was a problem hiding this comment.
Pull request overview
Adds a runtime guard to block GitHub Actions workflows from running on pull_request_target in public repositories, reducing exposure to “pwn request” style attacks.
Changes:
- Added a runtime check in
validate_lockdown_requirements.cjsto fail the workflow whenGITHUB_EVENT_NAME=pull_request_targetandGITHUB_REPOSITORY_VISIBILITY=public, emittinglockdown_check_failed=true. - Added Vitest coverage for
pull_request_targetenforcement scenarios and ordering relative to strict-mode failures. - Updated test setup to reset
GITHUB_EVENT_NAMEbetween tests.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| actions/setup/js/validate_lockdown_requirements.cjs | Introduces the public-repo pull_request_target runtime enforcement and failure message/output behavior. |
| actions/setup/js/validate_lockdown_requirements.test.cjs | Adds test cases validating the new enforcement behavior and its interaction with strict-mode checks. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "\\n" + | ||
| "The pull_request_target event is not allowed on public repositories because it runs\\n" + | ||
| "workflows with access to repository secrets even when triggered from a fork, which\\n" + | ||
| 'creates a significant security risk (known as a \\"pwn request\\").\\n' + |
There was a problem hiding this comment.
The error message string is escaping quotes incorrectly: \"pwn request\" in a single-quoted JS string will render with literal backslashes (e.g., \"pwn request\") in the output. Use unescaped double quotes ("pwn request" in a double-quoted string) or just "pwn request" without extra backslashes (e.g., known as a "pwn request" or known as a "pwn request" via a template literal) so the message prints cleanly.
| 'creates a significant security risk (known as a \\"pwn request\\").\\n' + | |
| 'creates a significant security risk (known as a "pwn request").\\n' + |
|
@copilot Apply reviews |
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw/sessions/0dab3c2a-f1b9-48a4-bdff-b3d5f4a09c9f
pull_request_targetruns in the base repo context with full secret access even when triggered from a fork, making it a "pwn request" vector on public repos. This adds a runtime enforcement check alongside the existing strict-mode and lockdown checks.Changes
validate_lockdown_requirements.cjs— Added check after strict-mode enforcement: readsGITHUB_EVENT_NAME+GITHUB_REPOSITORY_VISIBILITY; fails the workflow with a descriptive error ifpull_request_targetfires on a public repo. Setslockdown_check_failed=trueoutput for consistency with other guards.validate_lockdown_requirements.test.cjs— 7 new test cases covering: fail on public+pull_request_target, pass on public+pull_request, pass on private/internal regardless of strict mode, pass when visibility unknown, correct ordering when strict-mode check also fails.The check only blocks public repos — private and internal repos are unaffected.
💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.