- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: github-actions/dangerous-trigger
Language: YAML
Severity: Warning
Category: Security
Workflows triggered by the pull_request_target
trigger can read secrets and edit code in the repository that the PR is targeting. This is a dangerous trigger that must be used with caution. For security reasons, GitHub runs these workflows using the code from the base branch, rather than the code from the PR.
If you use this trigger you must not checkout the code of the PR, otherwise anyone can simply write malicious code and get it to run in a context that has access to your secrets, in addition to write access to the repository.
This type of attack is sometimes referred to as “pwn request”.
Note that if you use the “workflow_call” trigger, your workflow is callable by other workflows, so possibly by a workflow using the pull_request_target
trigger.
name: PR
on:
pull_request_target:
paths-ignore:
- datadog_checks_base/datadog_checks/**
- datadog_checks_dev/datadog_checks/dev/*.py
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.head_ref }}
cancel-in-progress: true
jobs:
test:
uses: ./.github/workflows/pr-test.yml
with:
repo: core
secrets: inherit
name: PR
on:
pull_request:
paths-ignore:
- datadog_checks_base/datadog_checks/**
- datadog_checks_dev/datadog_checks/dev/*.py
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.head_ref }}
cancel-in-progress: true
jobs:
test:
uses: ./.github/workflows/pr-test.yml
with:
repo: core
secrets: inherit