PDP-1182 SECCMP-1797: Switch to pull_request trigger and add top-level permissions#149
PDP-1182 SECCMP-1797: Switch to pull_request trigger and add top-level permissions#149GAdityaVarma wants to merge 1 commit intomainfrom
Conversation
This workflow only validates JIRA IDs in the PR title. It does not need write permissions or secrets access. Switching to pull_request eliminates the PwnRequest attack surface entirely for this repo. Also adds explicit top-level permissions: contents: read.
There was a problem hiding this comment.
Pull request overview
This PR hardens the JIRA ID validator GitHub Actions workflow by switching its trigger from pull_request_target to pull_request and explicitly restricting default token permissions to read-only, reducing exposure to “PwnRequest”-style attacks.
Changes:
- Switch workflow trigger from
pull_request_targettopull_request. - Add top-level workflow permissions (
contents: read) to enforce least privilege.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| jira-pr-check: | ||
| name: 🏷️ Validate JIRA ticket ID | ||
| # Use the reusable workflow from the central repository | ||
| uses: marklogic/pr-workflows/.github/workflows/jira-id-check.yml@main |
There was a problem hiding this comment.
The reusable workflow is referenced via a mutable ref (@main). For supply-chain safety and reproducibility, pin this to an immutable ref (tag/release) or a commit SHA, especially since this workflow runs on untrusted PR inputs.
| uses: marklogic/pr-workflows/.github/workflows/jira-id-check.yml@main | |
| uses: marklogic/pr-workflows/.github/workflows/jira-id-check.yml@0123456789abcdef0123456789abcdef01234567 |
| @@ -1,16 +1,15 @@ | |||
| name: 🏷️ JIRA ID Validator | |||
|
|
|||
| on: | |||
There was a problem hiding this comment.
Switching from pull_request_target to pull_request changes how forked PRs are handled: for first-time/externally contributed forks, GitHub may require a maintainer to approve the workflow run before it executes. Please confirm this tradeoff is acceptable for the JIRA title check (or document the expected maintainer action).
| on: | |
| on: | |
| # Intentionally use `pull_request` for this title-only validation workflow. | |
| # For first-time or external contributors opening PRs from forks, GitHub may | |
| # require a maintainer to approve the workflow run before this check executes. | |
| # Maintainers should approve the run when needed so the JIRA title check can complete. |
GAdityaVarma
changed the title
|
@GAdityaVarma We can remove this workflow from the repository from both main and develop branches. |
SECCMP-1797: Switch from pull_request_target to pull_request
This workflow only validates JIRA IDs in the PR title. It does not need write permissions or secrets access.
Switching to
pull_requesteliminates the PwnRequest attack surface entirely - no write token, no secrets exposure, regardless of what input is provided.Also adds explicit
permissions: contents: readat the workflow level.Ref: Preventing pwn requests