From 1e03e19bfc68fc2d7dd983b570ce5f28451969eb Mon Sep 17 00:00:00 2001 From: Sophie <29382425+sophietheking@users.noreply.github.com> Date: Tue, 5 Nov 2024 17:03:05 +0100 Subject: [PATCH] Actions: Changes to Fork Pull Request Approvals [GA] (#52915) Co-authored-by: Steve-Glass <84886334+Steve-Glass@users.noreply.github.com> Co-authored-by: Greg Ose --- ...-policies-for-github-actions-in-your-enterprise.md | 2 ++ .../actions/workflow-run-approve-public-fork.md | 11 +++++++---- .../actions/workflows-from-public-fork-setting.md | 10 ++++++---- 3 files changed, 15 insertions(+), 8 deletions(-) diff --git a/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise.md b/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise.md index a751ae3453..880656685f 100644 --- a/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise.md +++ b/content/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise.md @@ -136,6 +136,8 @@ Anyone can fork a public repository, then submit a pull request to propose chang You can configure which pull requests require approval before they are run. +>[!WARNING] When requiring approvals only for first-time contributors (the first two settings), a user that has had any commit or pull request merged into the repository will not require approval. A malicious user could meet this requirement by getting a simple typo or other innocuous change accepted by a maintainer, either as part of a pull request they have authored or as part of another user's pull request. + * **Require approval for first-time contributors who are new to {% data variables.product.prodname_dotcom %}**. Requires approval for users who have never committed to the repository and have new {% data variables.product.prodname_dotcom %} accounts. * **Require approval for first-time contributors**. Requires approval for users who have never committed to the repository. * **Require approval for all outside collaborators**. Requires approval for all users who are not organization members. diff --git a/data/reusables/actions/workflow-run-approve-public-fork.md b/data/reusables/actions/workflow-run-approve-public-fork.md index 543e1d2e19..cbf9a90fef 100644 --- a/data/reusables/actions/workflow-run-approve-public-fork.md +++ b/data/reusables/actions/workflow-run-approve-public-fork.md @@ -1,9 +1,12 @@ Anyone can fork a public repository, and then submit a pull request that proposes changes to the repository's {% data variables.product.prodname_actions %} workflows. Although workflows from forks do not have access to sensitive data such as secrets, they can be an annoyance for maintainers if they are modified for abusive purposes. -To help prevent this, workflows on pull requests to public repositories from some outside contributors will not run automatically, and might need to be approved first. By default, all first-time contributors require approval to run workflows. +To help prevent this, workflows on pull requests to public repositories from some outside contributors will not run automatically, and might need to be approved first. Depending on the "Approval for running fork pull request workflows from contributors" setting, workflows on pull requests to public repositories will not run automatically and may need approval if: -{% note %} +* The pull request is **created by** a user that requires approvals based on the selected policy. +* The pull request event is **triggered by** a user that requires approvals based on the selected policy. -**Note:** Workflows triggered by `pull_request_target` events are run in the context of the base branch. Since the base branch is considered trusted, workflows triggered by these events will always run, regardless of approval settings. For more information about the `pull_request_target` event, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#pull_request_target)." +By default, all first-time contributors require approval to run workflows. -{% endnote %} +Workflows triggered by `pull_request_target` events are run in the context of the base branch. Since the base branch is considered trusted, workflows triggered by these events will always run, regardless of approval settings. For more information about the `pull_request_target` event, see "[AUTOTITLE](/actions/using-workflows/events-that-trigger-workflows#pull_request_target)." + +>[!WARNING] These workflow approval policies are intended to restrict the set of users that can execute workflows in {% data variables.product.prodname_actions %} runners that could lead to unexpected resource and compute consumption when using {% data variables.product.prodname_dotcom %}-hosted runners. If you are using self-hosted runners, potentially malicious user-controlled workflow code will execute automatically if the user is allowed to bypass approval in the set approval policy or if the pull request is approved. You must consider the risk of executing this code in your infrastructure and should review and follow the self-hosted runner security recommendations regardless of the approval settings utilized. See "[AUTOTITLE](/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners)." diff --git a/data/reusables/actions/workflows-from-public-fork-setting.md b/data/reusables/actions/workflows-from-public-fork-setting.md index 6d8fea6f62..c4fd50cbe5 100644 --- a/data/reusables/actions/workflows-from-public-fork-setting.md +++ b/data/reusables/actions/workflows-from-public-fork-setting.md @@ -1,7 +1,9 @@ -1. Under **Fork pull request workflows from outside collaborators**, choose one of the options. +1. Under **Approval for running fork pull request workflows from contributors**, choose which subset of users will require approval before running workflows on their pull requests. Both the pull request author and the actor of the pull request event triggering the workflow will be checked to determine if approval is required. If approval is required, a user with write access to the repository must approve the pull request workflow to be run. See "[AUTOTITLE](/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/approving-workflow-runs-from-public-forks)." - * **Require approval for first-time contributors who are new to {% data variables.product.prodname_dotcom %}**. This option requires approval to run workflows for users who have never committed to the repository and have new {% data variables.product.prodname_dotcom %} accounts. - * **Require approval for first-time contributors**. This option requires approval to run workflows for users who have never committed to the repository. - * **Require approval for all outside collaborators**. This option requires approval to run workflows for all users who are not repository collaborators. If the repository is owned by an organization, this option requires approval to run workflows for all repository collaborators who are not organization members. + >[!WARNING] When requiring approvals only for first-time contributors (the first two settings), a user that has had any commit or pull request merged into the repository will not require approval. A malicious user could meet this requirement by getting a simple typo or other innocuous change accepted by a maintainer, either as part of a pull request they have authored or as part of another user's pull request. + + * **Require approval for first-time contributors who are new to {% data variables.product.prodname_dotcom %}**. Only users who are both new on {% data variables.product.prodname_dotcom %} and who have never had a commit or pull request merged into this repository will require approval to run workflows. + * **Require approval for first-time contributors**. Only users who have never had a commit or pull request merged into this repository will require approval to run workflows. + * **Require approval for all external contributors** All users that are not a member or owner of this repository and not a member of the organization will require approval to run workflows. 1. Click **Save** to apply the settings.