fix: replace pull_request_target with pull_request to prevent secret exposure#21
Merged
kparkinson-ld merged 1 commit intomainfrom Feb 9, 2026
Conversation
…exposure Change the workflow trigger from pull_request_target to pull_request to prevent fork PRs from executing attacker-controlled code with base repository privileges and access to secrets. - Remove unsafe checkout of fork code (repository/ref parameters) - Update annotation job condition to match new event name - Keep ref parameter in prettier job for same-repo PRs only Co-Authored-By: Kane Parkinson <kparkinson@launchdarkly.com>
Contributor
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Remediates a security vulnerability (HackerOne #3545260) where the
style-check.ymlworkflow usedpull_request_targetcombined with explicit checkout of fork-controlled code (repositoryandrefparameters). This allowed fork PRs to execute attacker-controlled code with base repository privileges and access to secrets includingGITHUB_TOKEN.Changes:
pull_request_targettrigger withpull_requestso fork PRs run in the fork's security contextrepository: ${{ github.event.pull_request.head.repo.full_name }}andref: ${{ github.head_ref }}from checkout steps ineslint_check_upload,prettier_check, andprettierjobsannotationjob condition frompull_request_targettopull_requestref: ${{ github.head_ref }}in theprettierjob (which is gated to same-repo PRs only and needs it for auto-commit)Review & Testing Checklist for Human
prettierjob condition (github.event.pull_request.head.repo.full_name == 'rrweb-io/rrweb') correctly restricts it to same-repo PRs only — this job retainsrefandcontents: writeannotationjob (which useschecks: write+secrets.GITHUB_TOKEN) will still function for same-repo PRs under thepull_requestevent. Note: annotations on fork PRs may stop working, which is the expected security trade-off.github/workflows/have the samepull_request_target+ fork checkout patternSuggested test plan: Open a PR from a fork to confirm the workflow no longer checks out fork code with base repo privileges. Verify same-repo PRs still get ESLint annotations and auto-formatting.
Notes
pull_requestevent default checkout behavior checks out the merge commit rather than the PR head directly. This is functionally equivalent for lint/format checks.