Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,11 @@ The following is an extended example with all available options.
# Optional. Creates a new tag and pushes it to remote without creating a commit.
# Skips dirty check and changed files. Must be used in combination with `tag` and `tagging_message`.
create_git_tag_only: false

# Optional. Suppress the security warning emitted when the action runs on a
# `pull_request_target` event. See the "Workflow should run in **base** repository"
# section below for context before disabling this warning.
disable_pull_request_target_trigger_warning: false
```

Please note that the Action depends on `bash`. If you're using the Action in a job in combination with a custom Docker container, make sure that `bash` is installed.
Expand Down Expand Up @@ -356,10 +361,13 @@ However, there are a couple of ways to use this Action in Workflows that should
> [!CAUTION]
> The following section explains how you can use git-auto-commit in combination with the `pull_request_target` trigger.
> **Using `pull_request_target` in your workflows can lead to repository compromise as [mentioned](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) by GitHub's own security team. This means, that a bad actor could potentially leak/steal your GitHub Actions repository secrets.**
> Please be aware of this risk when using `pull_request_target` in your workflows.
> Please be aware of this risk when using `pull_request_target` in your workflows. See [GitHub's documentation](https://docs.github.com/en/actions/reference/security/securely-using-pull_request_target) for more information.
>
> If your workflow runs code-fixing tools, consider running the workflow on your default branch by listening to the `push` event or use a third-party tool like [autofix.ci](https://autofix.ci/).
> We keep this documentation around, as many questions came in over the years, on how to use this action for public forks.
>
> To remind users of this risk, git-auto-commit emits a warning annotation whenever it detects it is running on a `pull_request_target` event.
> If you have evaluated the risk and want to silence the warning, set the `disable_pull_request_target_trigger_warning` input to `true`.
Comment thread
stefanzweifel marked this conversation as resolved.

The workflow below runs whenever a commit is pushed to the `main`-branch or when activity on a pull request happens, by listening to the [`pull_request_target`](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target) event.

Expand Down
4 changes: 4 additions & 0 deletions action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,10 @@ inputs:
description: Perform a clean git tag and push, without commiting anything
required: false
default: false
disable_pull_request_target_trigger_warning:
description: Suppress the security warning emitted when the action runs on a `pull_request_target` event.
required: false
default: false
internal_git_binary:
description: Internal use only! Path to git binary used to check if git is available. (Don't change this!)
required: false
Expand Down
12 changes: 12 additions & 0 deletions entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ _main() {

_check_if_repository_is_in_detached_state

_check_for_pull_request_target_trigger

if "$INPUT_CREATE_GIT_TAG_ONLY"; then
_log "debug" "Create git tag only";
_set_github_output "create_git_tag_only" "true"
Expand Down Expand Up @@ -107,6 +109,16 @@ _check_if_is_git_repository() {
fi
}

_check_for_pull_request_target_trigger() {
if "$INPUT_DISABLE_PULL_REQUEST_TARGET_TRIGGER_WARNING"; then
return
fi

if [ "${GITHUB_EVENT_NAME:-}" = "pull_request_target" ]; then
_log "warning" "git-auto-commit is running on a 'pull_request_target' event. This trigger can be a security risk: a malicious pull request could potentially exfiltrate your repository secrets. See https://docs.github.com/en/actions/reference/security/securely-using-pull_request_target and the 'pull_request_target' section in the git-auto-commit README (https://github.com/stefanzweifel/git-auto-commit-action#using-the-action-in-a-pull_request_target-workflow) for safer usage. Set 'disable_pull_request_target_trigger_warning: true' to suppress this warning.";
fi
}

_check_if_repository_is_in_detached_state() {
if [ -z "$(git symbolic-ref HEAD)" ]
then
Expand Down
51 changes: 51 additions & 0 deletions tests/git-auto-commit.bats
Original file line number Diff line number Diff line change
Expand Up @@ -41,8 +41,13 @@ setup() {
export INPUT_SKIP_PUSH=false
export INPUT_DISABLE_GLOBBING=false
export INPUT_CREATE_BRANCH=false
export INPUT_DISABLE_PULL_REQUEST_TARGET_TRIGGER_WARNING=false
export INPUT_INTERNAL_GIT_BINARY=git

# Unset the GitHub event name by default so tests do not pick up
# pull_request_target from the environment of the shell running BATS.
unset GITHUB_EVENT_NAME

# Set GitHub environment variables used by the GitHub Action
temp_github_output_file=$(mktemp -t github_output_test.XXXXX)
export GITHUB_OUTPUT="${temp_github_output_file}"
Expand Down Expand Up @@ -1521,3 +1526,49 @@ END

assert_equal $current_sha $remote_sha
}

@test "It emits a warning when running on a pull_request_target event" {
export GITHUB_EVENT_NAME="pull_request_target"

touch "${FAKE_LOCAL_REPOSITORY}"/new-file-1.txt

run git_auto_commit

assert_success
assert_output --partial "::warning::git-auto-commit is running on a 'pull_request_target' event."
assert_output --partial "disable_pull_request_target_trigger_warning"
}

@test "It does not emit the pull_request_target warning when the event is pull_request" {
export GITHUB_EVENT_NAME="pull_request"

touch "${FAKE_LOCAL_REPOSITORY}"/new-file-1.txt

run git_auto_commit

assert_success
refute_output --partial "::warning::git-auto-commit is running on a 'pull_request_target' event."
}

@test "It does not emit the pull_request_target warning when GITHUB_EVENT_NAME is unset" {
unset GITHUB_EVENT_NAME

touch "${FAKE_LOCAL_REPOSITORY}"/new-file-1.txt

run git_auto_commit

assert_success
refute_output --partial "::warning::git-auto-commit is running on a 'pull_request_target' event."
}

@test "It does not emit the pull_request_target warning when disable_pull_request_target_trigger_warning is true" {
export GITHUB_EVENT_NAME="pull_request_target"
export INPUT_DISABLE_PULL_REQUEST_TARGET_TRIGGER_WARNING=true

touch "${FAKE_LOCAL_REPOSITORY}"/new-file-1.txt

run git_auto_commit

assert_success
refute_output --partial "::warning::git-auto-commit is running on a 'pull_request_target' event."
}