Skip to content

fix(security): pin third-party Actions in pull_request_target workflows to commit SHAs#1007

Open
XananasX7 wants to merge 1 commit into
google:mainfrom
XananasX7:fix/security-pin-actions
Open

fix(security): pin third-party Actions in pull_request_target workflows to commit SHAs#1007
XananasX7 wants to merge 1 commit into
google:mainfrom
XananasX7:fix/security-pin-actions

Conversation

@XananasX7

Copy link
Copy Markdown

The auto-review.yml workflow uses pull_request_target (which has write access to secrets) and calls lewagon/wait-on-check-action@v1.3.4 — a mutable tag reference on a third-party action with pull-requests: write permission. A tag redirect could auto-approve malicious PRs. Pinned to commit SHAs.

…ws to SHAs

lewagon/wait-on-check-action@v1.3.4 is a tag-pinned third-party action
used in pull_request_target context with pull-requests:write permission.
A supply-chain attack via that action could approve malicious PRs.
Pinned to commit SHA.
@google-cla

google-cla Bot commented Jun 28, 2026

Copy link
Copy Markdown

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant