Merge pull request #164880 from Mic92/github-tokens

ci: add warning to actions with writeable GITHUB_TOKEN
2022-03-21 08:40:03 +00:00 · 2022-03-21 08:40:03 +00:00 · 5646fe3c6d
parent 0e882f0d2b 92a720cbac
commit 5646fe3c6d
3 changed files with 16 additions and 0 deletions
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@ -2,6 +2,12 @@ name: Backport
 on:
  pull_request_target:
    types: [closed, labeled]
+
+# WARNING:
+# When extending this action, be aware that $GITHUB_TOKEN allows write access to
+# the GitHub repository. This means that it should not evaluate user input in a
+# way that allows code injection.
+
 jobs:
  backport:
    name: Backport Pull Request
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@ -4,6 +4,11 @@ on:
  pull_request_target:
    types: [edited, opened, synchronize, reopened]

+# WARNING:
+# When extending this action, be aware that $GITHUB_TOKEN allows some write
+# access to the GitHub API. This means that it should not evaluate user input in
+# a way that allows code injection.
+
 permissions:
  contents: read
  pull-requests: write
--- a/.github/workflows/pending-set.yml
+++ b/.github/workflows/pending-set.yml
@ -3,6 +3,11 @@ name: "set pending status"
 on:
  pull_request_target:

+# WARNING:
+# When extending this action, be aware that $GITHUB_TOKEN allows write access to
+# the GitHub repository. This means that it should not evaluate user input in a
+# way that allows code injection.
+
 jobs:
  action:
    runs-on: ubuntu-latest