Commit 69f9410
fix(examples): gate PR bump preview to same-repo PRs only
Mirrors the security fix on commitizen-tools/commitizen#1957:
* `cz bump` can render Jinja templates from the working directory when
`update_changelog_on_bump` is set in config, using a non-sandboxed
loader. Under `pull_request_target` this would let a fork PR execute
arbitrary code with a write token, so gate the job to same-repo PRs
only (`head.repo == base.repo`).
* Add `persist-credentials: false` on `actions/checkout` as defense
in depth.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>1 parent a08470c commit 69f9410
1 file changed
Lines changed: 13 additions & 4 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
3 | 3 | | |
4 | 4 | | |
5 | 5 | | |
6 | | - | |
7 | | - | |
8 | | - | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
9 | 11 | | |
10 | 12 | | |
11 | 13 | | |
| |||
18 | 20 | | |
19 | 21 | | |
20 | 22 | | |
21 | | - | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
22 | 29 | | |
23 | 30 | | |
24 | 31 | | |
| |||
27 | 34 | | |
28 | 35 | | |
29 | 36 | | |
| 37 | + | |
| 38 | + | |
30 | 39 | | |
31 | 40 | | |
32 | 41 | | |
| |||
0 commit comments