By Claude 3 Sonnet.

Q: We are running an open source project on GitHub and using GitHub Actions for all pull requests. What are the security considerations when using pull_requedt_target in workflows?

When using the pull_request_target event in GitHub Actions workflows, there are some important security considerations to keep in mind:

1. Untrusted Code: The pull_request_target event runs the workflow code from the pull request's head commit, which means it executes code from an untrusted source. This code could potentially be malicious, so it's crucial to ensure that your workflow doesn't perform any sensitive operations or expose any secrets.

2. Code Injection: If your workflow includes steps that allow user input or use external data sources, there's a risk of code injection attacks. Malicious code could be injected into your workflow, leading to unintended actions or data leaks.

3. Permissions: By default, the pull_request_target event runs with read-only permissions to the repository. However, if your workflow requires write access, you'll need to grant the GITHUB_TOKEN permissions explicitly. This introduces a potential risk if the workflow is compromised, as it could then make unauthorized changes to your repository.

4. Secrets Exposure: If your workflow uses secrets (e.g., API keys, passwords), they could potentially be exposed to the untrusted code in the pull request. It's recommended to avoid using secrets in workflows triggered by the pull_request_target event, or at least limit their usage to read-only operations.

5. Resource Exhaustion: Malicious pull requests could attempt to overwhelm your system resources (e.g., CPU, memory, disk space) by running resource-intensive operations in the workflow. It's important to set reasonable limits and monitor resource usage.

To mitigate these risks, consider the following best practices:

1. Validate Inputs: Sanitize and validate all inputs and data sources used in your workflow to prevent code injection attacks.
2. Minimize Permissions: Grant the minimum required permissions to the GITHUB_TOKEN or use a custom token with limited scope.
3. Avoid Secrets: If possible, avoid using secrets in workflows triggered by the pull_request_target event. If you must use secrets, ensure they are only used for read-only operations.
4. Resource Limits: Set appropriate resource limits for your workflows to prevent resource exhaustion attacks.
5. Code Review: Thoroughly review the code in pull requests before merging, especially if the workflow performs sensitive operations.
6. Monitoring and Logging: Implement monitoring and logging mechanisms to detect and respond to potential security incidents or misuse.
7. Security Updates: Keep your GitHub Actions environment and dependencies up-to-date with the latest security patches and updates.

By following these best practices, you can mitigate the risks associated with running untrusted code in your GitHub Actions workflows and maintain a secure environment for your open-source project.

Based on actions/first-interaction's readme, it is enough to use pull_request event:
https://github.com/actions/first-interaction?tab=readme-ov-file#usage

See actions/first-interaction#31

@ddevsr Thank you. But did you test this works on pull requests by contributers?

By ChatGPT.

Using pull_request_target in GitHub Actions workflows comes with several security considerations, especially for open-source projects where pull requests (PRs) may come from untrusted contributors. Here’s what you need to keep in mind:

1. Access to Secrets

• Workflows triggered by pull_request_target run in the context of the base repository (i.e., the repository into which the PR is being merged). This means they have access to secrets and can perform actions with the repository's permissions.
• An attacker could potentially submit a malicious PR to exploit this, accessing secrets or performing unauthorized actions.

2. Careful with Untrusted Code

• Avoid checking out and running untrusted code directly from the PR in these workflows. If you do need to check out the PR, consider using actions/checkout with ref: ${{ github.event.pull_request.head.ref }} instead of the PR’s branch, but be cautious.
• One safer approach is to validate the PR (e.g., linting, formatting, running tests) without exposing secrets or doing anything sensitive.

3. Use Limited Scopes

• Ensure the GitHub token (GITHUB_TOKEN) or any other credentials used in the workflow are scoped appropriately, limiting permissions as much as possible.
• Consider using the permissions key in the workflow file to restrict the default permissions of the GITHUB_TOKEN.

4. Review and Approval

• Implement mandatory code reviews before workflows using pull_request_target can be merged. This adds an additional layer of protection by ensuring that a maintainer reviews potentially malicious code before it executes.

5. Limit Workflow Modifications

• Be cautious about allowing workflows or configuration files to be modified in PRs, as these changes could be exploited. Ensure that any changes to workflow files are reviewed thoroughly.

6. Consider Alternative Triggers

• For untrusted code or contributors, consider using pull_request instead of pull_request_target if you don’t need access to secrets or write permissions. This trigger runs in the context of the fork, offering more isolation.

7. Custom Environment Variables

• Be careful when passing custom environment variables to workflows triggered by pull_request_target. Avoid passing sensitive information directly from the PR.

Summary

Using pull_request_target is powerful but should be approached with caution, especially in open-source projects. The key is to limit exposure and access to sensitive resources, thoroughly review untrusted code, and ensure workflows are tightly controlled and reviewed.