Skip to content

ci: stop running untrusted PR code with secrets (pull_request_target -> pull_request)#87

Merged
thrilok209 merged 1 commit into
masterfrom
security/harden-ci-pull-request-target
May 31, 2026
Merged

ci: stop running untrusted PR code with secrets (pull_request_target -> pull_request)#87
thrilok209 merged 1 commit into
masterfrom
security/harden-ci-pull-request-target

Conversation

@thrilok209

Copy link
Copy Markdown
Member

run-tests.yml used pull_request_target while checking out the PR head SHA and
running npm install / npm run test with secrets.ALCHEMY_ID in the environment,
so any fork PR could exfiltrate the secret. Switching to pull_request means fork PRs
run with a read-only token and no secrets. Please rotate ALCHEMY_ID as a precaution.

@thrilok209 thrilok209 merged commit fef062a into master May 31, 2026
0 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

3 participants