Compare commits

..

8 Commits

Author SHA1 Message Date
Aiqiao Yan
921dc8dd24 edit url one more time 2026-06-15 21:41:19 +00:00
Aiqiao Yan
baaeba4a5e update description and url again 2026-06-15 21:07:44 +00:00
Aiqiao Yan
cb140b4908 update readme 2026-06-15 20:16:22 +00:00
Aiqiao Yan
678aa28ba1 update urls 2026-06-15 20:07:36 +00:00
Aiqiao Yan
c2edb9a740 build 2026-06-15 17:26:12 +00:00
Aiqiao Yan
c12eb249cb run prettier formatting 2026-06-15 16:18:29 +00:00
Aiqiao Yan
12a489776f address copilot and reviewer feedback 2026-06-15 16:12:03 +00:00
Aiqiao Yan
b8447332b0 block checking out fork pr for some events 2026-06-12 19:12:01 +00:00
2 changed files with 6 additions and 6 deletions

6
dist/index.js vendored
View File

@@ -2833,9 +2833,9 @@ function assertSafePrCheckout(input) {
throw new Error(`Refusing to check out fork pull request code from a '${eventName}' workflow. ` + throw new Error(`Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
`This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` + `This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
`cache scope, and runner access. Fetching and executing a fork's code in that trusted ` + `cache scope, and runner access. Fetching and executing a fork's code in that trusted ` +
`context commonly leads to "pwn request" vulnerabilities. To opt in, review the risks ` + `context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` +
`at https://gh.io/securely-using-pull_request_target and set 'allow-unsafe-pr-checkout: true' ` + `the risks at https://gh.io/securely-using-pull_request_target, set ` +
`on the actions/checkout step.`); `'allow-unsafe-pr-checkout: true' on the actions/checkout step.`);
} }
function pushIfSha(target, value) { function pushIfSha(target, value) {
if (typeof value === 'string' && value.length > 0) { if (typeof value === 'string' && value.length > 0) {

View File

@@ -75,9 +75,9 @@ export function assertSafePrCheckout(input: IUnsafePrCheckoutInput): void {
`Refusing to check out fork pull request code from a '${eventName}' workflow. ` + `Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
`This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` + `This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
`cache scope, and runner access. Fetching and executing a fork's code in that trusted ` + `cache scope, and runner access. Fetching and executing a fork's code in that trusted ` +
`context commonly leads to "pwn request" vulnerabilities. To opt in, review the risks ` + `context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` +
`at https://gh.io/securely-using-pull_request_target and set 'allow-unsafe-pr-checkout: true' ` + `the risks at https://gh.io/securely-using-pull_request_target, set ` +
`on the actions/checkout step.` `'allow-unsafe-pr-checkout: true' on the actions/checkout step.`
) )
} }