language-servers/deno
1
0
Fork 0
mirror of https://github.com/denoland/deno.git synced 2025-12-23 08:48:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

chore: use main script for verify_pr_title.ts (#30821)

Browse source 
This security issue was reported to us where `pull_request_target`
always runs in the context of the base repository... meaning if the
GITHUB_TOKEN were accessed it would have write permissions to the deno
repo. We shouldn't use the PR's script for this. That said, we were
saved by this script being executed with zero permissions so it could
never read the GITHUB_TOKEN env var or do anything with it anyway. This
change adds a bit more defence in depth.
This commit is contained in:
David Sherret 2025-09-23 10:14:25 -04:00 committed by GitHub
parent 2ad17f7c7c
commit 3e9c60a32a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 3 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

5
.github/workflows/pr.yml vendored
View file

@ -7,6 +7,8 @@ on:
- edited
- synchronize
# WARNING: This workflow runs in the context of the base repository so the
# GITHUB_TOKEN it has access to has full write permissions to the repository.
jobs:
main:
name: lint title
@ -19,5 +21,4 @@ jobs:
- name: Lint
env:
PR_TITLE: '${{ github.event.pull_request.title }}'
PR_SHA: '${{ github.event.pull_request.head.sha }}'
run: deno run https://raw.githubusercontent.com/denoland/deno/$PR_SHA/tools/verify_pr_title.js "$PR_TITLE"
run: deno run https://raw.githubusercontent.com/denoland/deno/refs/heads/main/tools/verify_pr_title.js "$PR_TITLE"