Summary
GitHub Actions workflow_run event allows running workflows in response to other workflows. This makes it easier to secure PR automation where we can split workflows to extract PR details and to act on PR, instead of using pull_request_target that would send a write token to any fork.
However, the challenge with workflow_run is that GitHub doesn't allow restricting where such dependency (workflow) can be run. For example, Run Tests could be a workflow that runs in the base repo or any fork.
on:
workflow_run:
workflows: [Run Tests]
types:
- completedBesides the practice of manually approving fork workflows to run on a per PR basis (we already do), we can do better by creating an additional security layer to only allow sensitive dependant workflows to run in the base repo.
Why is this needed?
Increases our security posture by not relying on human approval step only. It also provides an example to suggest a feature request to the GitHub Actions team.
Which area does this relate to?
Automation, Governance
Solution
No response
Acknowledgment
Summary
GitHub Actions
workflow_runevent allows running workflows in response to other workflows. This makes it easier to secure PR automation where we can split workflows to extract PR details and to act on PR, instead of usingpull_request_targetthat would send awritetoken to any fork.However, the challenge with
workflow_runis that GitHub doesn't allow restricting where such dependency (workflow) can be run. For example,Run Testscould be a workflow that runs in the base repo or any fork.Besides the practice of manually approving fork workflows to run on a per PR basis (we already do), we can do better by creating an additional security layer to only allow sensitive dependant workflows to run in the base repo.
Why is this needed?
Increases our security posture by not relying on human approval step only. It also provides an example to suggest a feature request to the GitHub Actions team.
Which area does this relate to?
Automation, Governance
Solution
No response
Acknowledgment