DEV Community

0 seconds of 0 secondsVolume 90%
Press shift question mark to access a list of keyboard shortcuts
00:00
00:00
00:00
 
Brian Douglas for GitHub

Posted on • Edited on

2 1

Keeping GitHub Action workflows secure

GitHub Security Lab’s mission is to inspire and enable the community to secure the open-source software we all depend on. In a recent disclosure, they disclosed 84 vulnerable GitHub Action workflows ranging from pull_request_target abuse to script injections reported to maintainers.

If you have been following my daily tips, you know I am a big of the pull_request_target event for my open-sourced GitHub Actions. Today I am going to talk about and how you can ensure your use of it is secure.

GitHub Actions is a powerful feature, but with that power comes the responsibility to secure your code.

TL;DR: To prevent access to sensitive repository information; Refrain from using the pull_request_target with the actions/checkout.

workflow trigger event access access to repo secrets
pull_request merge commit no
pull_request_target target repository (including secrets) yes

Using actions/checkout stores secrets in a local .git/config folder in the environment. This is not enabled if the action config set persist-credentials: false. By default, GitHub Actions scrub secrets from memory that are not explicitly referenced in the workflow or in an included Action.

Any automated processing of PRs from external forks is potentially dangerous and should be treated like untrusted input. As a precaution, reviewing the code from the GitHub Actions enabled on your project to validate its source.

You can treat PR's from forks as untrusted input, by not including write access to forked repositories PR'd again your project.

GitHub's standard pull_request workflow trigger by default prevents write permissions and secrets access to the target repository. However, in some scenarios, such access is needed to properly process the PR. To this end, the pull_request_target workflow trigger was introduced.

The pull_request_target runs in the context of the target repository of the PR, rather than in the merge commit. This means the standard checkout action uses the target repository to prevent accidental usage of the user-supplied code.

With all this said, if you can trust/validate all the input from a user's PR then you are in the most secure position.

To keep up to date on other vulnerabilities through GitHub, checkout GitHub's full vulnerability list.

https://securitylab.github.com/advisories

This is part of my 28 days of Actions series. To get notified of more GitHub Action tips, follow the GitHub organization right here on Dev.

Image of Stellar post

How a Hackathon Project became a Web3 Startup 🚀

Ever wondered what it takes to build a web3 startup from scratch? In the Stellar Dev Diaries series, we follow the journey of a team of developers building on the Stellar Network as they go from hackathon win to getting funded and launching on mainnet.

Watch the video

Top comments (0)

Image of PulumiUP 2025

Let's talk about the current state of cloud and IaC, platform engineering, and security.

Dive into the stories and experiences of innovators and experts, from Startup Founders to Industry Leaders at PulumiUP 2025.

Register Now

👋 Kindness is contagious

Engage with a wealth of insights in this thoughtful article, valued within the supportive DEV Community. Coders of every background are welcome to join in and add to our collective wisdom.

A sincere "thank you" often brightens someone’s day. Share your gratitude in the comments below!

On DEV, the act of sharing knowledge eases our journey and fortifies our community ties. Found value in this? A quick thank you to the author can make a significant impact.

Okay