Description
High-Privilege Token in Pull Request Trigger
Overview
We have recently conducted a security scan of our GitHub repositories to ensure our CI/CD pipelines are secure. We identified misconfigurations in GitHub Actions workflows (e.g., injection risks, unpinned actions).
File: .github/workflows/release.yml
Description
The 'release.yml' workflow is triggered on 'pull_request' events and uses a high-privilege secret ADYEN_AUTOMATION_BOT_ACCESS_TOKEN with 'contents: write' and 'pull-requests: write' permissions. While there is a crucial check to ensure this only runs for pull requests from the base repository, this pattern is inherently dangerous. If the conditional check were to fail or be misconfigured, a malicious pull request could trigger the release action and potentially modify the repository's contents.
Remediation
Avoid using high-privilege tokens in workflows triggered by 'pull_request'. It is safer to have release-related workflows be exclusively manually triggered (using 'workflow_dispatch') by trusted users. If PR-based triggers are necessary, ensure the token's permissions are strictly limited to the minimum required, such as posting comments, rather than writing to the repository content.
Description
High-Privilege Token in Pull Request Trigger
Overview
We have recently conducted a security scan of our GitHub repositories to ensure our CI/CD pipelines are secure. We identified misconfigurations in GitHub Actions workflows (e.g., injection risks, unpinned actions).
File: .github/workflows/release.ymlDescription
The 'release.yml' workflow is triggered on 'pull_request' events and uses a high-privilege secret
ADYEN_AUTOMATION_BOT_ACCESS_TOKENwith 'contents: write' and 'pull-requests: write' permissions. While there is a crucial check to ensure this only runs for pull requests from the base repository, this pattern is inherently dangerous. If the conditional check were to fail or be misconfigured, a malicious pull request could trigger the release action and potentially modify the repository's contents.Remediation
Avoid using high-privilege tokens in workflows triggered by 'pull_request'. It is safer to have release-related workflows be exclusively manually triggered (using 'workflow_dispatch') by trusted users. If PR-based triggers are necessary, ensure the token's permissions are strictly limited to the minimum required, such as posting comments, rather than writing to the repository content.