mirror of
https://github.com/denoland/deno.git
synced 2025-12-23 08:48:24 +00:00
3e9c60a32a
This security issue was reported to us where `pull_request_target` always runs in the context of the base repository... meaning if the GITHUB_TOKEN were accessed it would have write permissions to the deno repo. We shouldn't use the PR's script for this. That said, we were saved by this script being executed with zero permissions so it could never read the GITHUB_TOKEN env var or do anything with it anyway. This change adds a bit more defence in depth.
24 lines
652 B
YAML
24 lines
652 B
YAML
name: 'pr'
|
|
|
|
on:
|
|
pull_request_target:
|
|
types:
|
|
- opened
|
|
- edited
|
|
- synchronize
|
|
|
|
# WARNING: This workflow runs in the context of the base repository so the
|
|
# GITHUB_TOKEN it has access to has full write permissions to the repository.
|
|
jobs:
|
|
main:
|
|
name: lint title
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Install Deno
|
|
uses: denoland/setup-deno@v2
|
|
with:
|
|
deno-version: canary
|
|
- name: Lint
|
|
env:
|
|
PR_TITLE: '${{ github.event.pull_request.title }}'
|
|
run: deno run https://raw.githubusercontent.com/denoland/deno/refs/heads/main/tools/verify_pr_title.js "$PR_TITLE"
|