MA-16612: replace pull_request_target with pull_request to protect ag…

…ainst writes from external PRs
VKCOM · Jan 25, 2024 · d040ab0 · d040ab0
1 parent bbaf02d
commit d040ab0
Showing 1 changed file with 1 addition and 17 deletions.
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -1,18 +1,6 @@
 name: 'Pull Request'
 
-# > Про 'pull_request_target' и про риски его использования можно ознакомиться в статье по ссылке ниже
-# > https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
-#
-# При 'pull_request_target' свойство `github.ref` будет соответствовать `refs/head/master`, поэтому необходимо
-# вручную перебивать его на `github.event.pull_request.number` там, где это необходимо.
-#
-# Пример:
-# ```
-# - uses: actions/checkout@v3
-#   with:
-#     ref: refs/pull/${{ github.event.pull_request.number }}/merge
-# ```
-on: ['pull_request_target']
+on: ['pull_request']
 
 concurrency:
   group: pr-common-${{ github.event.pull_request.number }}
@@ -25,8 +13,6 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
-        with:
-          ref: refs/pull/${{ github.event.pull_request.number }}/merge
 
       - name: Setting up the repository environment
         uses: ./.github/actions/setup
@@ -50,8 +36,6 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
-        with:
-          ref: refs/pull/${{ github.event.pull_request.number }}/merge
 
       - name: Setting up the repository environment
         uses: ./.github/actions/setup