TG Notification is Not Working for PRs From Forked Repositories

Error msg: `missing telegram token or user list`

Reason:

>Due to the dangers inherent to automatic processing of PRs, GitHub’s standard pull_request workflow trigger by default prevents write permissions and secrets access to the target repository. However, in some scenarios such access is needed to properly process the PR. To this end the pull_request_target workflow trigger was introduced.

See https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/

Potential solution: Using `pull_request_target` Event

https://github.com/sec-bit/mle-pcs/blob/8232016549e38f45d17d2e7a90e9d5d17540ed60/.github/workflows/notify.yml#L6-L7

Risk: If the workflow executes code from the PR branch, it can potentially expose secrets. Malicious actors could craft PRs that deliberately exploit this to leak secrets.

Mitigation: Carefully design the workflow to avoid executing untrusted code or exposing secrets.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

TG Notification is Not Working for PRs From Forked Repositories #13

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

	pull_request:
	types: [opened, closed, reopened]

TG Notification is Not Working for PRs From Forked Repositories #13

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions