Add warning regarding pull_request_target event

2025-12-30 12:02:01 -05:00 · 2020-11-16 00:11:40 +09:00
parent 3d0d13d661
commit d49ccb084e
1 changed files with 6 additions and 0 deletions
--- a/content/actions/reference/events-that-trigger-workflows.md
+++ b/content/actions/reference/events-that-trigger-workflows.md
@@ -574,6 +574,12 @@ on:

 This event is similar to `pull_request`, except that it runs in the context of the base repository of the pull request, rather than in the merge commit. This means that you can more safely make your secrets available to the workflows triggered by the pull request, because only workflows defined in the commit on the base repository are run. For example, this event allows you to create workflows that label and comment on pull requests, based on the contents of the event payload. 

+{% warning %}
+
+**Warning**: When using the `pull_request_target` event, be mindful that it runs in the context of the base repository. As a result, the `GITHUB_TOKEN` has write access to the repository and the cache shares the same scope with the base branch. It is recommended to not run untrusted code in the same context as it may access sensitive information and manipulate the enviroment of the workflow. Furthermore, do not save cache if cache contents could have been altered to prevent cache posioning.
+
+{% endwarning %}
+
 | Webhook event payload | Activity types | `GITHUB_SHA` | `GITHUB_REF` |
 | --------------------- | -------------- | ------------ | -------------|
 | [`pull_request`](/webhooks/event-payloads/#pull_request) | - `assigned`<br/>- `unassigned`<br/>- `labeled`<br/>- `unlabeled`<br/>- `opened`<br/>- `edited`<br/>- `closed`<br/>- `reopened`<br/>- `synchronize`<br/>- `ready_for_review`<br/>- `locked`<br/>- `unlocked` <br/>- `review_requested` <br/>- `review_request_removed` | Last commit on the PR base branch | PR base branch |