Skip to content

update note regarding pull_request_target #644

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
beeequeue wants to merge 2 commits into
base: main
Choose a base branch
from
+15 −5
Open

update note regarding pull_request_target #644

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e604f65
Update README with pull_request_target usage guidelines
beeequeue Jun 2, 2026
2df4dde
Update README with pull_request_target caution
beeequeue Jun 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 15 additions & 5 deletions pr-status/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,18 @@

This action generates the changesets status in PRs, e.g. whether it has changeset files and which packages will be released if the PR is merged.

It requires the repo to be checked out, and automatically fetches the PR head ref into a temporary detached worktree in order to infer the changed files and packages. It also requires the [`pull_request_target`](https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target) event to be triggered in order to have permissions to comment on the PR and to work in PRs from forks.
It requires the repo to be checked out, and automatically fetches the PR head ref into a temporary detached worktree in order to infer the changed files and packages.

See the [action metadata](action.yml) for details on the inputs and outputs.

> [!CAUTION]
> **This action uses `pull_request_target` by default to support PRs from forks.**
>
> Generally, **do not execute any code except for GitHub Actions** when using the `pull_request_target` event.
Copy link
Copy Markdown
Member Author

@beeequeue beeequeue Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'm still not entirely sure about the wording in this line, but i think it's a good guideline to give to people who don't know anything about the subject

i considered adding a line saying "e.g. installing dependencies can lead to cache poisoning in the main repo", but decided against it

Copy link
Copy Markdown
Member Author

@beeequeue beeequeue Jun 2, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe it should say "do not execute any code except code inside GitHub Actions"?

Copy link
Copy Markdown
Member

@bluwy bluwy Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think previously the "do not run untrusted code" would fit better, since github actions can't guarantee that they won't run untrusted code either. Maybe we can give some examples of what not to do, but I don't think is necessary.

>
> The example below only _checks out_ and does not _run_ any code from the PR.
>
> Read more about the `pull_request_target` event in the [GitHub documentation](https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target).

You can also use the [`pull_request`](https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request) event if you prefer to lock permissions down and not run for PRs from forks. Make sure to add an if check to prevent the action from failing in fork PRs:

Expand All @@ -13,10 +24,7 @@ jobs:
# ...
```

See the [action metadata](action.yml) for details on the inputs and outputs.

> [!WARNING]
> **Do not run untrusted code** when using the `pull_request_target` event. The example below only checks out code and does not run any code from the PR. Read more about the `pull_request_target` event in the [GitHub documentation](https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target).
You can also use the [Changesets Bot](https://github.com/apps/changeset-bot) if you don't want an extra action in your repo, or are worried about the `pull_request_target` event.
Comment thread
bluwy marked this conversation as resolved.

## Example setup

Expand All @@ -27,6 +35,8 @@ name: Comment Changesets status in PRs
on:
pull_request_target:

permissions: {} # require explicitly stating all permissions in each job
Copy link
Copy Markdown
Member Author

@beeequeue beeequeue Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should override whatever default permissions the repo is configured to use, so the comment step can't accidentally get content: write


concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
cancel-in-progress: true
Expand Down