SECURITY FIX: The previous CI workflow was vulnerable to arbitrary code
execution from fork PRs due to using `pull_request_target` with checkout
of untrusted PR code.
Attack vector:
- Attacker forks repo and adds malicious node_modules/.bin/markdownlint-cli
- Opens PR to trigger CI workflow
- npx executes attacker's script with repository write permissions
- Attacker can exfiltrate credentials, comment on PRs, or push code
Fix:
- Split workflow into two separate files
- ci.yml: Uses pull_request_target for commenting (no code checkout)
- lint-markdown.yml: Uses pull_request for linting (safe to checkout)
The pull_request trigger runs fork PRs with read-only permissions and
no access to repository secrets, making it safe to checkout and execute
PR code.
Additional improvements:
- Updated actions to latest versions (checkout@v4, github-script@v7, paths-filter@v3)
- Pin markdownlint-cli version to prevent supply chain attacks
- Added security comments explaining the rationale
Reference: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
