@AudioReach/audioreach-maint 👋 This repository uses GitHub Actions' pull_request_target trigger, which is one of the most commonly-abused sources of CI/CD supply chain compromise. We've opened this issue so the maintainers know about it and can plan a fix.
What we found
The following workflow file(s) in this repository use pull_request_target:
Why this matters
Even with "Require approval for all external contributors" enabled for fork pull request workflows, the pull_request_target event bypasses that check and runs immediately -- potentially with write access to the
repository and its secrets. An attacker who opens a PR from a fork can run arbitrary code with your repo's credentials.
See go/github-pull-request-target for background, common pitfalls, and secure alternatives.
What we've done in the meantime
As a precaution, we've limited pull request creation on this repository to collaborators (members with write access) until the workflow is fixed. External contributors will not be able to open new PRs against this repo until the restriction is lifted.
What we'd like you to do
- Review the workflow file(s) above.
- Either remove the
pull_request_target usage, or refactor it to follow the safe patterns at go/github-pull-request-target.
- When you're ready to re-enable external PRs (or if you believe this is a false positive), open a Support Issue at go/ossops and we'll restore PR creation for non-collaborators.
Heads up: this was filed by automation
This issue was filed automatically by OSSOPS Automation. It may occasionally flag valid or already-reviewed usage -- for example:
- Uses of
pull_request_target that have been pre-cleared with OSSOPS.
- Forks of upstream projects where the workflow is inherited and out of your control.
If either applies, please reach out at go/ossops for assistance and we'll mark this repo as reviewed.
We're also exploring additional security measures to further harden GitHub Actions and CI usage org-wide; expect follow-ups in this space.
Filed by OSSOPS Automation. Questions or false positives: go/ossops.
@AudioReach/audioreach-maint 👋 This repository uses GitHub Actions'
pull_request_targettrigger, which is one of the most commonly-abused sources of CI/CD supply chain compromise. We've opened this issue so the maintainers know about it and can plan a fix.What we found
The following workflow file(s) in this repository use
pull_request_target:.github/workflows/pre_merge_build.ymlWhy this matters
Even with "Require approval for all external contributors" enabled for fork pull request workflows, the
pull_request_targetevent bypasses that check and runs immediately -- potentially with write access to therepository and its secrets. An attacker who opens a PR from a fork can run arbitrary code with your repo's credentials.
See go/github-pull-request-target for background, common pitfalls, and secure alternatives.
What we've done in the meantime
As a precaution, we've limited pull request creation on this repository to collaborators (members with write access) until the workflow is fixed. External contributors will not be able to open new PRs against this repo until the restriction is lifted.
What we'd like you to do
pull_request_targetusage, or refactor it to follow the safe patterns at go/github-pull-request-target.Heads up: this was filed by automation
This issue was filed automatically by OSSOPS Automation. It may occasionally flag valid or already-reviewed usage -- for example:
pull_request_targetthat have been pre-cleared with OSSOPS.If either applies, please reach out at go/ossops for assistance and we'll mark this repo as reviewed.
We're also exploring additional security measures to further harden GitHub Actions and CI usage org-wide; expect follow-ups in this space.
Filed by OSSOPS Automation. Questions or false positives: go/ossops.