actions/checkout
2
0
Fork 0
mirror of https://github.com/actions/checkout.git synced 2026-05-23 01:55:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: warn on non-default checkout during pull_request_target

Browse source 
Signed-off-by: Kengo TODA <skypencil@gmail.com>
This commit is contained in:
Kengo TODA 2026-05-13 08:32:55 +08:00
parent 900f2210b1
commit 5a3004714a
No known key found for this signature in database
5 changed files with 149 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

22
dist/index.js vendored
View file

@ -2008,7 +2008,8 @@ function getInputs() {
const isWorkflowRepository = qualifiedRepository.toUpperCase() ===
`${github.context.repo.owner}/${github.context.repo.repo}`.toUpperCase();
// Source branch, source version
result.ref = core.getInput('ref');
const inputRef = core.getInput('ref');
result.ref = inputRef;
if (!result.ref) {
if (isWorkflowRepository) {
result.ref = github.context.ref;
@ -2027,6 +2028,16 @@ function getInputs() {
}
core.debug(`ref = '${result.ref}'`);
core.debug(`commit = '${result.commit}'`);
// Warn when pull_request_target checks out non-default code from the workflow repository.
// This event runs in the base repository context, so checking out PR-controlled code can be risky.
const suppressNonDefaultBranchWarning = (core.getInput('dangerously-checkout-non-default-branch') || 'false').toUpperCase() === 'TRUE';
if (github.context.eventName === 'pull_request_target' &&
isWorkflowRepository &&
inputRef &&
!suppressNonDefaultBranchWarning &&
!isDefaultBranchRef(inputRef)) {
core.warning('Checking out a non-default branch from pull_request_target can put untrusted pull request code in a privileged context. If this is intentional, set dangerously-checkout-non-default-branch: true. Consider using pull_request or pull_request plus workflow_run instead. See https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/');
}
// Clean
result.clean = (core.getInput('clean') || 'true').toUpperCase() === 'TRUE';
core.debug(`clean = ${result.clean}`);
@ -2098,6 +2109,15 @@ function getInputs() {
return result;
});
}
function isDefaultBranchRef(ref) {
var _a;
const defaultBranch = (_a = github.context.payload.repository) === null || _a === void 0 ? void 0 : _a.default_branch;
if (defaultBranch &&
(ref === defaultBranch || ref === `refs/heads/${defaultBranch}`)) {
return true;
}
return ref.toUpperCase() === github.context.sha.toUpperCase();
}
/***/ }),