Merge pull request #164880 from Mic92/github-tokens

ci: add warning to actions with writeable GITHUB_TOKEN

3 files changed, 16 insertions, 0 deletions

diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index bcb164a04ee..4ee5adfaac1 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -2,6 +2,12 @@ name: Backport
 on:
   pull_request_target:
     types: [closed, labeled]
+
+# WARNING:
+# When extending this action, be aware that $GITHUB_TOKEN allows write access to
+# the GitHub repository. This means that it should not evaluate user input in a
+# way that allows code injection.
+
 jobs:
   backport:
     name: Backport Pull Request
diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml
index c464f8bf58a..5f949ddc56b 100644
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@@ -4,6 +4,11 @@ on:
   pull_request_target:
     types: [edited, opened, synchronize, reopened]
 
+# WARNING:
+# When extending this action, be aware that $GITHUB_TOKEN allows some write
+# access to the GitHub API. This means that it should not evaluate user input in
+# a way that allows code injection.
+
 permissions:
   contents: read
   pull-requests: write
diff --git a/.github/workflows/pending-set.yml b/.github/workflows/pending-set.yml
index 944d1deefb9..b15e4847e67 100644
--- a/.github/workflows/pending-set.yml
+++ b/.github/workflows/pending-set.yml
@@ -3,6 +3,11 @@ name: "set pending status"
 on:
   pull_request_target:
 
+# WARNING:
+# When extending this action, be aware that $GITHUB_TOKEN allows write access to
+# the GitHub repository. This means that it should not evaluate user input in a
+# way that allows code injection.
+
 jobs:
   action:
     runs-on: ubuntu-latest