|
|
|
|
|
|
by danudey
243 days ago
|
|
|
Yes, but IIRC when you run `pull_request_target` the credentials are to the target repository - i.e. the one you're merging into. When you run `pull_request`, it's to the source repository, the one the attacker is in control of. |
|
|