Merge pull request #597 from KhronosGroup/fix-cts-issue-workflow-trigger

Only run CTS issue workflow when opening PRs; run on base branch
KhronosGroup · Aug 2, 2024 · 976ac9b · 976ac9b
2 parents d314fbc + 3a244dc
commit 976ac9b
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/.github/workflows/open_cts_issue.yml b/.github/workflows/open_cts_issue.yml
@@ -1,5 +1,15 @@
 name: Open CTS issue for spec changes
-on: pull_request
+on:
+  # We use the pull_request_target trigger to always run the workflow in the context of the base branch,
+  # since this allows us to access repository secrets even if the PR originates from a fork.
+  #
+  # Importantly, the workflow must not checkout any code from the PR branch, as this could allow an attacker
+  # to gain write access to the repository.
+  # See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for more information.
+  pull_request_target:
+    types: opened
+    paths:
+      - 'adoc/**'
 jobs:
   create-issue:
     runs-on: ubuntu-latest