Skip to content

Commit 9b07266

Browse files
Update content/actions/how-tos/security-for-github-actions/security-guides/security-hardening-for-github-actions.md
Co-authored-by: Jaroslav Lobačevski <jarlob@github.com>
1 parent 49a0d0a commit 9b07266

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

content/actions/how-tos/security-for-github-actions/security-guides/security-hardening-for-github-actions.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -166,7 +166,7 @@ To help mitigate the risk of an exposed token, consider restricting the assigned
166166

167167
## Understanding the risks of untrusted code checkout
168168

169-
Similar to script injection attacks, untrusted pull request content that automatically triggers Actions processing can also pose a security risk. The `pull_request_target` and `workflow_run` workflow triggers, when used with the checkout of an untrusted pull request, expose the repository to security compromises. These workflows have write access and access to secrets in the target repository, which can be exploited to take over a repository.
169+
Similar to script injection attacks, untrusted pull request content that automatically triggers Actions processing can also pose a security risk. The `pull_request_target` and `workflow_run` workflow triggers, when used with the checkout of an untrusted pull request, expose the repository to security compromises. These workflows are privileged (i.e. they share the same cache of the main branch with other privileged workflow triggers, may have repository write access and access to referenced secrets), which can be exploited to take over a repository.
170170

171171
Review the [`pull_request_target` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) and the [`workflow_run` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflow-run) for more information on these triggers, how to use them, and the risks associated with them.
172172

0 commit comments

Comments
 (0)