diff options
author | Jörg Thalheim <joerg@thalheim.io> | 2022-03-19 19:43:22 +0100 |
---|---|---|
committer | Jörg Thalheim <joerg@thalheim.io> | 2022-03-21 08:54:42 +0100 |
commit | 92a720cbacbdbbdf4be68eb1d0c2f2b83b226406 (patch) | |
tree | 16cff7ea0224b9d1701d9aa3bf869e09a328af09 | |
parent | 819debc3575a3fae447202ecabc466eeaa826feb (diff) | |
download | nixpkgs-92a720cbacbdbbdf4be68eb1d0c2f2b83b226406.tar nixpkgs-92a720cbacbdbbdf4be68eb1d0c2f2b83b226406.tar.gz nixpkgs-92a720cbacbdbbdf4be68eb1d0c2f2b83b226406.tar.bz2 nixpkgs-92a720cbacbdbbdf4be68eb1d0c2f2b83b226406.tar.lz nixpkgs-92a720cbacbdbbdf4be68eb1d0c2f2b83b226406.tar.xz nixpkgs-92a720cbacbdbbdf4be68eb1d0c2f2b83b226406.tar.zst nixpkgs-92a720cbacbdbbdf4be68eb1d0c2f2b83b226406.zip |
ci: add warning to actions with writeable GITHUB_TOKEN
Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
-rw-r--r-- | .github/workflows/backport.yml | 6 | ||||
-rw-r--r-- | .github/workflows/labels.yml | 5 | ||||
-rw-r--r-- | .github/workflows/pending-set.yml | 5 |
3 files changed, 16 insertions, 0 deletions
diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index bcb164a04ee..4ee5adfaac1 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -2,6 +2,12 @@ name: Backport on: pull_request_target: types: [closed, labeled] + +# WARNING: +# When extending this action, be aware that $GITHUB_TOKEN allows write access to +# the GitHub repository. This means that it should not evaluate user input in a +# way that allows code injection. + jobs: backport: name: Backport Pull Request diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml index c464f8bf58a..5f949ddc56b 100644 --- a/.github/workflows/labels.yml +++ b/.github/workflows/labels.yml @@ -4,6 +4,11 @@ on: pull_request_target: types: [edited, opened, synchronize, reopened] +# WARNING: +# When extending this action, be aware that $GITHUB_TOKEN allows some write +# access to the GitHub API. This means that it should not evaluate user input in +# a way that allows code injection. + permissions: contents: read pull-requests: write diff --git a/.github/workflows/pending-set.yml b/.github/workflows/pending-set.yml index 944d1deefb9..b15e4847e67 100644 --- a/.github/workflows/pending-set.yml +++ b/.github/workflows/pending-set.yml @@ -3,6 +3,11 @@ name: "set pending status" on: pull_request_target: +# WARNING: +# When extending this action, be aware that $GITHUB_TOKEN allows write access to +# the GitHub repository. This means that it should not evaluate user input in a +# way that allows code injection. + jobs: action: runs-on: ubuntu-latest |