[ci] Don't use pull_request_target #32708

poteto · 2025-03-21T19:59:03Z

pull_request_target gives access to repository secrets and permissions for use from forks, for example to add a comment.

Due to the dangers inherent to automatic processing of PRs, GitHub’s standard pull_request workflow trigger by default prevents write permissions and secrets access to the target repository. However, in some scenarios such access is needed to properly process the PR. To this end the pull_request_target workflow trigger was introduced.

The reason to introduce the pull_request_target trigger was to enable workflows to label PRs (e.g. needs review) or to comment on the PR.

(via https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/)

In this case there is no reason for us to allow this, so let's just use the normal `pull_request` trigger which is less permissive.

Stack created with Sapling. Best reviewed with ReviewStack.

react-sizebot · 2025-03-21T20:06:22Z

Comparing: fe8c106...399224e

Critical size changes

Includes critical production bundles, as well as any change greater than 2%:

Name	+/-	Base	Current	+/- gzip	Base gzip	Current gzip
oss-stable/react-dom/cjs/react-dom.production.js	=	6.68 kB	6.68 kB	=	1.83 kB	1.83 kB
oss-stable/react-dom/cjs/react-dom-client.production.js	=	515.14 kB	515.14 kB	=	91.74 kB	91.74 kB
oss-experimental/react-dom/cjs/react-dom.production.js	=	6.69 kB	6.69 kB	=	1.83 kB	1.83 kB
oss-experimental/react-dom/cjs/react-dom-client.production.js	=	615.53 kB	615.53 kB	=	108.89 kB	108.89 kB
facebook-www/ReactDOM-prod.classic.js	=	651.48 kB	651.48 kB	=	114.89 kB	114.89 kB
facebook-www/ReactDOM-prod.modern.js	=	641.76 kB	641.76 kB	=	113.31 kB	113.31 kB

Significant size changes

Includes any change greater than 0.2%:

(No significant changes)

Generated by 🚫 dangerJS against 399224e

Missed these ones earlier. --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/facebook/react/pull/32707). * #32708 * __->__ #32707

Missed one

`pull_request_target` gives access to repository secrets and permissions for use from forks, for example to add a comment. > Due to the dangers inherent to automatic processing of PRs, GitHub’s standard pull_request workflow trigger by default prevents write permissions and secrets access to the target repository. However, in some scenarios such access is needed to properly process the PR. To this end the pull_request_target workflow trigger was introduced. > The reason to introduce the pull_request_target trigger was to enable workflows to label PRs (e.g. needs review) or to comment on the PR. (via https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/) In this case there is no reason for us to allow this, so let's just use the normal `pull_request` trigger which is less permissive.

Missed one --- [//]: # (BEGIN SAPLING FOOTER) Stack created with [Sapling](https://sapling-scm.com). Best reviewed with [ReviewStack](https://reviewstack.dev/facebook/react/pull/32709). * #32708 * __->__ #32709

Defaults permissions to none for all workflows, and only request extra permissions when needed. Similar to facebook/react#32708, prefer the less permissive `pull_request` trigger instead.

* [ci] Fix permissions and don't use pull_request_target Defaults permissions to none for all workflows, and only request extra permissions when needed. Similar to facebook/react#32708, prefer the less permissive `pull_request` trigger instead. * [ci] Pin 3rd party actions to specific hash

poteto mentioned this pull request Mar 21, 2025

[ci] Add missing permissions #32707

Merged

facebook-github-bot added the CLA Signed label Mar 21, 2025

vercel bot deployed to Preview March 21, 2025 20:00 View deployment

poteto force-pushed the pr32708 branch from a787e9d to 212cb63 Compare March 21, 2025 20:01

vercel bot deployed to Preview March 21, 2025 20:02 View deployment

vercel bot deployed to Preview March 21, 2025 20:08 View deployment

poteto force-pushed the pr32708 branch from aea551b to 190c5fe Compare March 21, 2025 20:10

poteto mentioned this pull request Mar 21, 2025

[ci] Also give permissions on pull_requests #32709

Merged

poteto added 2 commits March 21, 2025 16:10

[ci] Also give permissions on pull_requests

06dafd5

Missed one

poteto force-pushed the pr32708 branch from 190c5fe to 399224e Compare March 21, 2025 20:10

github-actions bot added the React Core Team Opened by a member of the React Core Team label Mar 21, 2025

vercel bot deployed to Preview March 21, 2025 20:12 View deployment

poteto merged commit 156f0ec into main Mar 21, 2025
245 of 247 checks passed

poteto deleted the pr32708 branch March 21, 2025 20:17

poteto mentioned this pull request Mar 21, 2025

[ci] Fix permissions and don't use pull_request_target reactjs/react.dev#7689

Merged

vercel-release-bot mentioned this pull request Mar 25, 2025

Upgrade React from db7dfe05-20250319 to 740a4f7a-20250325 vercel/next.js#77507

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[ci] Don't use pull_request_target #32708

[ci] Don't use pull_request_target #32708

poteto commented Mar 21, 2025 •

edited

Loading

react-sizebot commented Mar 21, 2025 •

edited

Loading

[ci] Don't use pull_request_target #32708

[ci] Don't use pull_request_target #32708

Conversation

poteto commented Mar 21, 2025 • edited Loading

In this case there is no reason for us to allow this, so let's just use the normal pull_request trigger which is less permissive.

react-sizebot commented Mar 21, 2025 • edited Loading

Critical size changes

Significant size changes

poteto commented Mar 21, 2025 •

edited

Loading

In this case there is no reason for us to allow this, so let's just use the normal `pull_request` trigger which is less permissive.

react-sizebot commented Mar 21, 2025 •

edited

Loading