ci: switch test-link trigger from pull_request_target to pull_request#265
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The recent TanStack NPM supply-chain compromise was carried out via a
pull_request_targetworkflow. As a precaution, we are removingpull_request_targettriggers from all Replit-owned public repos so that no workflow runs with write-scoped repo secrets against fork-controlled inputs.The current
test-link.ymlworkflow usespull_request_targetso that fork PRs also get an auto-appendedraw.githack.comweb-demo link in the PR description. It only usesactions/github-scriptand never checks out PR head code, so the immediate exposure is limited — but per policy we're removing the trigger entirely rather than relying on the workflow staying safe under future edits.See also Slack thread: https://replit.slack.com/archives/C03FS477T17/p1778588219046429
What changed
.github/workflows/test-link.yml: switched the trigger frompull_request_target:topull_request:. Nothing else in the workflow changes.Tradeoff: With
pull_request, the workflow runs against the fork's code with a read-onlyGITHUB_TOKEN, which cannot edit the PR description. In practice this means:replit/codemirror-vim): still get the auto-appended web-demo link, exactly as before.If we want fork-PR support back, the recommended replacement is either a separately-gated GitHub App, or a workflow split into two parts (an unprivileged
pull_requestjob that produces the link as an artifact, plus a privilegedworkflow_runfollow-up that posts a comment — not edits the description) so it never runs untrusted code with write permissions.Test plan
raw.githack.comlink. Opening a fork PR will no longer auto-append the link (expected per the tradeoff above).Revertibility
Safe to revert — it's a single trigger change in a single workflow file with no data migrations or protocol changes. Reverting restores the previous behavior of auto-appending links on fork PRs (and reintroduces the
pull_request_targetexposure).~ written by Zerg 👾 (morphing-hellion-0ea0)
Open web-demo @ 10b40d1308f2b94cd433171be53a1b415f552cf7