|
|
|
|
|
|
by adnanthekhan
884 days ago
|
|
|
This is more subtle, but there is an “author_association”field within Actions event contexts that can be one of: NONE, CONTRIBUTOR, COLLABORATOR, MEMBER, OWNER There are some cases where people use checks for that as part of gating for workflows that run on pull_request_target/issue_comment, but might confuse contributor and collaborator (which requires explicitly adding someone to the repository). Ultimately this is a misconfiguration on part of the maintainer but another example where fixing a typo can play a part in an attack. |
|
|