fix(aci): Selected project state should react to form changes#112434
fix(aci): Selected project state should react to form changes#112434malwilley wants to merge 3 commits into
1 issue
gha-security-review: Found 1 issue (1 medium)
Medium
pull_request_target with secrets: inherit passes all secrets to external reusable workflow - `.github/workflows/changelog-preview.yml:21`
This workflow uses pull_request_target trigger with secrets: inherit, which passes all repository secrets to the reusable workflow getsentry/craft/.github/workflows/changelog-preview.yml. If that external workflow checks out fork code (PR head ref) and executes it, an attacker could exfiltrate secrets by opening a malicious PR. The workflow also grants elevated permissions (contents: write, pull-requests: write, statuses: write) which amplifies potential impact.
Duration: 19m 48s · Tokens: 455.9k in / 10.1k out · Cost: $1.21
Annotations
Check warning on line 21 in .github/workflows/changelog-preview.yml
sentry-warden / warden: gha-security-review
pull_request_target with secrets: inherit passes all secrets to external reusable workflow
This workflow uses `pull_request_target` trigger with `secrets: inherit`, which passes all repository secrets to the reusable workflow `getsentry/craft/.github/workflows/changelog-preview.yml`. If that external workflow checks out fork code (PR head ref) and executes it, an attacker could exfiltrate secrets by opening a malicious PR. The workflow also grants elevated permissions (`contents: write`, `pull-requests: write`, `statuses: write`) which amplifies potential impact.