Using github.actor or equivalent properties to check if the actor is a trusted principal on events like
pull_request_target could be a security issue, because they do not always refer to the actual creator of the commit or the
pull request.
The value represents the entity who triggered the workflow event, which may differ from the actual author of the commit or pull request. If a threat actor could force a trusted actor (such as a bot) into making a change that triggers the workflow, they can bypass the check.
An attacker could trick the action to run sensitive jobs/commands with special permissions or secrets. For instance, an auto-merge workflow.
If the sensitive code performs a merge or releases an artifact, an attacker can inject malicious code or publish malicious packages, potentially compromising the entire supply chain.
Workflows should verify the origin of the pull_request using trusted metadata before taking automated actions, rather than trusting the triggering actor.
For instance, instead of directly using github.actor to authorize an auto-merge operation during a pull_request_target
event, workflows should rely on non-forgeable variables like:
github.event.pull_request.user.logingithub.event.pull_request.user.id
name: Auto-Merge
on:
pull_request_target:
jobs:
main:
runs-on: ubuntu-latest
if: ${{ github.actor == 'dependabot[bot]' }} # Noncompliant
steps:
- name: Merge
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh pr merge --auto --squash ${{ github.event.pull_request.html_url }}
name: Auto-Merge
on:
pull_request_target:
jobs:
main:
runs-on: ubuntu-latest
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
steps:
- name: Merge
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh pr merge --auto --squash ${{ github.event.pull_request.html_url }}