Add Alert about pull_request_target

https://github.com/stefanzweifel/git-auto-commit-action/issues/211#issuecomment-1837270114
2024-11-06 02:08:05 +00:00 · 2023-12-12 20:42:25 +01:00 · 2023-12-12 20:42:25 +01:00 · 2818fe7949
commit 2818fe7949
parent 8d90676eef
1 changed files with 9 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -296,6 +296,14 @@ However, there are a couple of ways to use this Actions in Workflows that should

 ### Workflow should run in **base** repository

+> [!CAUTION]
+> The following section explains how you can use git-auto-commit in combination with the `pull_request_target` trigger.
+> **Using `pull_request_target` in your workflows can lead to repository compromise as [mentioned](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) by GitHub's own security team. This means, that a bad actor could potentially leak/steal your GitHub Actions repository secrets.**
+> Please be aware of this risk when using `pull_request_target` in your workflows.
+> 
+> If your workflow runs code-fixing tools, consider running the workflow on your default branch by listening to the `push` event or use a third-party tool like [autofix.ci](https://autofix.ci/).
+> We keep this documentation around, as many questions came in over the years, on how to use this action for public forks.
+
 The workflow below runs whenever a commit is pushed to the `main`-branch or when activity on a pull request happens, by listening to the [`pull_request_target`](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target) event.

 If the workflow is triggered by the `pull_request_target`-event, the workflow will run in the context of the base of the pull request, rather than in the context of the merge commit, as the `pull_request` event does.