Harden Lint workflow: run on pull_request instead of pull_request_target#5198
Open
RomanIakovlev wants to merge 2 commits into
Open
Harden Lint workflow: run on pull_request instead of pull_request_target#5198RomanIakovlev wants to merge 2 commits into
RomanIakovlev wants to merge 2 commits into
Conversation
The lint job checks out and runs untrusted PR code (bundle install / rubocop) and does not need repository secrets, so pull_request is the correct, safer trigger. Also re-enables the workflow (previously disabled). The autocorrect job is unchanged and keeps its existing same-repo guard. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR re-enables the previously disabled Lint GitHub Actions workflow and hardens it by switching the trigger from pull_request_target to pull_request, reducing exposure when running PR-author code.
Changes:
- Re-enables the
Lintworkflow definition (was fully commented out). - Switches the workflow trigger to
pull_requestwhile preservingworkflow_dispatchandmerge_group. - Keeps the
autocorrectjob and its same-repo guard intact.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/lint.yml |
Re-enables linting and adjusts workflow triggers/checkout behavior for safer PR execution. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 1/1 changed files
- Comments generated: 3
Comment on lines
+16
to
+19
| - uses: actions/checkout@v6.0.2 | ||
| with: | ||
| ref: ${{ github.event.pull_request.head.sha || github.ref }} | ||
| repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }} |
Matches the SHA pin used in test.yml and jekyll_build.yml (ruby/setup-ruby@afeafc3 # v1.310.0) for supply-chain consistency. Addresses PR review feedback. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Re-enables the Lint workflow (temporarily disabled) and changes its trigger from
pull_request_targettopull_request.Why
The
lintjob checks out and runs PR-author code —bundle installandbundle exec rubocopboth evaluate repository files (Gemfile,.rubocop.yml) as code. Underpull_request_targetthat untrusted code runs in a context with access to repository secrets and a privilegedGITHUB_TOKEN. The lint job needs neither, sopull_requestis the correct trigger: fork PR code then runs with a read-only token and no secret access.Notes
autocorrectjob is unchanged and keeps its existing same-repo guard (if: …head.repo.full_name == github.repository), so it still pushes auto-fixes for same-repo PRs.workflow_dispatchandmerge_grouptriggers are preserved.actionlint(only pre-existing SC2086 info notes on the unchanged autocorrect job).