mirror of
https://code.forgejo.org/actions/checkout.git
synced 2026-07-10 05:16:16 +00:00
backport allow-unsafe-pr-checkout to v2 (#2504)
* block checking out fork pr for pull_request_target and workflow_run (#2454) * block checking out fork pr for some events * address copilot and reviewer feedback * run prettier formatting * build * update urls * update readme * update description and url again * edit url one more time * update error wording (#2467) * bump upload-artifact * rebuild
This commit is contained in:
parent
ee0669bd1c
commit
262cdb5f1c
11 changed files with 509 additions and 4 deletions
|
|
@ -71,6 +71,15 @@ inputs:
|
|||
set-safe-directory:
|
||||
description: Add repository path as safe.directory for Git global config by running `git config --global --add safe.directory <path>`
|
||||
default: true
|
||||
allow-unsafe-pr-checkout:
|
||||
description: >
|
||||
Required to check out fork pull request code from a workflow triggered by
|
||||
`pull_request_target` or `workflow_run`. These workflows run with the
|
||||
base repository's GITHUB_TOKEN, secrets, default-branch cache scope, and
|
||||
runner access; fetching and executing a fork's code in that trusted
|
||||
context commonly leads to "pwn request" vulnerabilities. Set to `true`
|
||||
only after reviewing the risks at https://gh.io/securely-using-pull_request_target.
|
||||
default: false
|
||||
runs:
|
||||
using: node12
|
||||
main: dist/index.js
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue