From 92a720cbacbdbbdf4be68eb1d0c2f2b83b226406 Mon Sep 17 00:00:00 2001 From: Jörg Thalheim Date: Sat, 19 Mar 2022 19:43:22 +0100 Subject: ci: add warning to actions with writeable GITHUB_TOKEN Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com> --- .github/workflows/pending-set.yml | 5 +++++ 1 file changed, 5 insertions(+) (limited to '.github/workflows/pending-set.yml') diff --git a/.github/workflows/pending-set.yml b/.github/workflows/pending-set.yml index 944d1deefb9..b15e4847e67 100644 --- a/.github/workflows/pending-set.yml +++ b/.github/workflows/pending-set.yml @@ -3,6 +3,11 @@ name: "set pending status" on: pull_request_target: +# WARNING: +# When extending this action, be aware that $GITHUB_TOKEN allows write access to +# the GitHub repository. This means that it should not evaluate user input in a +# way that allows code injection. + jobs: action: runs-on: ubuntu-latest -- cgit 1.4.1