fix(security): Prevent arbitrary code execution in CI workflow (#837)

2026-05-13 15:34:31 +00:00 · 2026-01-13 13:53:03 +00:00 · 2026-01-13 13:53:03 +00:00 · bf02500bbb
commit bf02500bbb
parent 2a406536e7 455d49e8e7
2 changed files with 40 additions and 32 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -9,16 +9,13 @@ permissions:
  pull-requests: write

 jobs:
-  job1:
+  check-files:
    name: Check Not Allowed File Changes
    runs-on: ubuntu-latest
-    outputs:
-      markdown_change: ${{ steps.filter_markdown.outputs.change }}
-      markdown_files: ${{ steps.filter_markdown.outputs.change_files }}
    steps:
-
+      # Note: dorny/paths-filter fetches file info via GitHub API, no checkout needed
      - name: Check Not Allowed File Changes
-        uses: dorny/paths-filter@v2
+        uses: dorny/paths-filter@v3
        id: filter_not_allowed
        with:
          list-files: json
@ -31,7 +28,7 @@ jobs:
      # ref: https://github.com/github/docs/blob/main/.github/workflows/triage-unallowed-contributions.yml
      - name: Comment About Changes We Can't Accept
        if: ${{ steps.filter_not_allowed.outputs.change == 'true' }}
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
        with:
          script: |
            let workflowFailMessage = "It looks like you've modified some files that we can't accept as contributions."
@ -54,28 +51,3 @@ jobs:
              console.log("Error creating comment.", err)
            }
            core.setFailed(workflowFailMessage)
-
-      - name: Check Not Linted Markdown
-        if: ${{ always() }}
-        uses: dorny/paths-filter@v2
-        id: filter_markdown
-        with:
-          list-files: shell
-          filters: |
-            change:
-              - added|modified: '*.md'
-
-
-  job2:
-    name: Lint Markdown
-    runs-on: ubuntu-latest
-    needs: job1
-    if: ${{ always() && needs.job1.outputs.markdown_change == 'true' }}
-    steps:
-      - name: Checkout Code
-        uses: actions/checkout@v3
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Lint markdown
-        run: npx markdownlint-cli ${{ needs.job1.outputs.markdown_files }} --ignore node_modules
--- a/.github/workflows/lint-markdown.yml
+++ b/.github/workflows/lint-markdown.yml
@ -0,0 +1,36 @@
+name: Lint Markdown
+
+# SECURITY: Use pull_request (not pull_request_target) for workflows that
+# checkout and execute code from PRs. This ensures fork PRs run with
+# read-only permissions and no access to repository secrets.
+#
+# See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - '**.md'
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    name: Lint Markdown
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Get changed markdown files
+        id: changed-files
+        uses: tj-actions/changed-files@v45
+        with:
+          files: |
+            **.md
+
+      - name: Lint markdown
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: npx markdownlint-cli@0.43.0 ${{ steps.changed-files.outputs.all_changed_files }} --ignore node_modules