-
|
This statement is true given the context of the article, but read in isolation is quite misleading and can lead to a dangerous misunderstanding: "Due to the dangers inherent to automatic processing of PRs, GitHub’s standard pull_request workflow trigger by default prevents write permissions and secrets access to the target repository." It's only true when PR is from a forked repo, and that context is 3 paragraphs above this sentence in the article. The first time I read this sentence, I thought all pull requests can't access secrets, and that I can stop worrying about malicious users with write access to my repo and just use branch protection rules. But out of curiosity I kept reading anyway, and only then realized I was wrong. Even though it would technically be redundant, maybe it's possible to clarify "...processing of PRs from forks..." or something. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
|
@JarLob: What do you think? |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the feedback @alexsapps! The process of modifying GitHub blog post is not so straightforward, but we'll work on improving it. |
Beta Was this translation helpful? Give feedback.
-
|
Ah, this one is actually at securitylab.github.com. Should be updated in few minutes. |
Beta Was this translation helpful? Give feedback.
-
|
looks good, thank you! 🙂 |
Beta Was this translation helpful? Give feedback.
Ah, this one is actually at securitylab.github.com. Should be updated in few minutes.