| ▲ | yetanotherjosh 3 hours ago |
| How is this not a Github P0? Can anyone explain? When I read that, I thought they must be using 'fork' wrong, and actually mean branch on the official repo, as that can't be right!?" Good lord. |
|
| ▲ | ZeWaka 3 hours ago | parent [-] |
| they probably used the publish token in a pull-request-target workflow or something? |
| |
| ▲ | ghost_pepper 3 hours ago | parent [-] | | yes, they used pull_request_target for a benchmarking suite. github has a huge warning saying to never use pull_request_target to run user code, but this is just going to keep happening | | |
| ▲ | riknos314 2 hours ago | parent [-] | | > github has a huge warning saying to never use pull_request_target to run user code This is an area where documentation is necessary but not sufficient. Github needs to add some form of automated screening mechanism to either prevent this usage, or at the very least quickly flag usages that might be dangerous. |
|
|
