Skip to content

Commit 69f9410

Browse files
fix(examples): gate PR bump preview to same-repo PRs only
Mirrors the security fix on commitizen-tools/commitizen#1957: * `cz bump` can render Jinja templates from the working directory when `update_changelog_on_bump` is set in config, using a non-sandboxed loader. Under `pull_request_target` this would let a fork PR execute arbitrary code with a write token, so gate the job to same-repo PRs only (`head.repo == base.repo`). * Add `persist-credentials: false` on `actions/checkout` as defense in depth. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent a08470c commit 69f9410

1 file changed

Lines changed: 13 additions & 4 deletions

File tree

examples/pr-bump-preview.yaml

Lines changed: 13 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -3,9 +3,11 @@
33
# version bumps before merging.
44
#
55
# Trigger: pull_request_target so the workflow has pull-requests: write
6-
# permission for fork PRs too. Only `cz bump --dry-run` is executed
7-
# against the checked-out PR commits — no PR-controlled scripts are run,
8-
# so this is safe.
6+
# permission. The job is gated to same-repo PRs only — fork PRs are
7+
# skipped because `cz bump` can render Jinja templates from the checked-out
8+
# workspace whenever `update_changelog_on_bump` is set in config, and we
9+
# don't want to execute fork-controlled templates with the workflow's
10+
# elevated permissions.
911
name: PR bump preview
1012

1113
on:
@@ -18,7 +20,12 @@ permissions:
1820

1921
jobs:
2022
bump-preview:
21-
if: ${{ github.event.pull_request.draft == false }}
23+
if: >
24+
${{
25+
github.event.pull_request.draft == false &&
26+
github.event.pull_request.head.repo.full_name ==
27+
github.event.pull_request.base.repo.full_name
28+
}}
2229
runs-on: ubuntu-latest
2330
steps:
2431
- name: Check out PR head
@@ -27,6 +34,8 @@ jobs:
2734
ref: ${{ github.event.pull_request.head.sha }}
2835
fetch-depth: 0
2936
fetch-tags: true
37+
# Defense in depth: don't write the workflow token to .git/config.
38+
persist-credentials: false
3039

3140
- uses: commitizen-tools/setup-cz@main
3241
with:

0 commit comments

Comments
 (0)