Y
Hacker News
new
|
ask
|
show
|
jobs
by
jadamson
372 days ago
`pull_request_target` (which has access to secrets) runs in the context of the destination branch, so any malicious workflow would need to have already been committed.
GitHub has a page on this:
https://securitylab.github.com/resources/github-actions-prev...