← 返回首页
fix: Removed usage of pull_request_target as much as possible to prev… · lokeshrangineni/feast@3198371 · GitHub
Skip to content

Navigation Menu

Toggle navigation
Sign in
Appearance settings
Search or jump to...

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Saved searches

Use saved searches to filter your results more quickly

Appearance settings
Resetting focus

Commit 3198371

Browse files
authored
fix: Removed usage of pull_request_target as much as possible to prevent security concerns (feast-dev#4549)
* Test workflow changes: on from pull_request_target to pull_request Signed-off-by: Theodor Mihalache <tmihalac@redhat.com> * fix: Removed usage of pull_request_target as much as possible to prevent security concerns Signed-off-by: Theodor Mihalache <tmihalac@redhat.com> --------- Signed-off-by: Theodor Mihalache <tmihalac@redhat.com>
1 parent 354c059 commit 3198371

4 files changed

Lines changed: 18 additions & 13 deletions

File tree

‎.github/workflows/java_pr.yml‎

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,9 @@ on:
77
- synchronize
88
- labeled
99

10+
permissions:
11+
pull-requests: read
12+
1013
jobs:
1114
lint-java:
1215
# when using pull_request_target, all jobs MUST have this if check for 'ok-to-test' or 'approved' for security purposes.
@@ -23,6 +26,7 @@ jobs:
2326
# code from the PR.
2427
ref: refs/pull/${{ github.event.pull_request.number }}/merge
2528
submodules: recursive
29+
persist-credentials: false
2630
- name: Lint java
2731
run: make lint-java
2832

@@ -42,6 +46,7 @@ jobs:
4246
# code from the PR.
4347
ref: refs/pull/${{ github.event.pull_request.number }}/merge
4448
submodules: recursive
49+
persist-credentials: false
4550
- name: Set up JDK 11
4651
uses: actions/setup-java@v1
4752
with:
@@ -84,6 +89,7 @@ jobs:
8489
- uses: actions/checkout@v4
8590
with:
8691
submodules: 'true'
92+
persist-credentials: false
8793
- name: Setup Python
8894
uses: actions/setup-python@v5
8995
id: setup-python
@@ -120,6 +126,7 @@ jobs:
120126
# code from the PR.
121127
ref: refs/pull/${{ github.event.pull_request.number }}/merge
122128
submodules: recursive
129+
persist-credentials: false
123130
- name: Set up JDK 11
124131
uses: actions/setup-java@v1
125132
with:

‎.github/workflows/lint_pr.yml‎

Lines changed: 2 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,20 +1,16 @@
11
name: lint-pr
22

33
on:
4-
pull_request_target:
4+
pull_request:
55
types:
66
- opened
77
- edited
88
- synchronize
99

10-
permissions:
11-
# read-only perms specified due to use of pull_request_target in lieu of security label check
12-
pull-requests: read
13-
1410
jobs:
1511
validate-title:
1612
if:
17-
github.repository == 'feast-dev/feast'
13+
github.event.pull_request.base.repo.full_name == 'feast-dev/feast'
1814
name: Validate PR title
1915
runs-on: ubuntu-latest
2016
steps:

‎.github/workflows/pr_integration_tests.yml‎

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,9 @@ on:
1111
#concurrency:
1212
# group: pr-integration-tests-${{ github.event.pull_request.number }}
1313
# cancel-in-progress: true
14+
permissions:
15+
actions: write
16+
pull-requests: read
1417

1518
jobs:
1619
integration-test-python:
@@ -46,6 +49,7 @@ jobs:
4649
# code from the PR.
4750
ref: refs/pull/${{ github.event.pull_request.number }}/merge
4851
submodules: recursive
52+
persist-credentials: false
4953
- name: Setup Python
5054
uses: actions/setup-python@v5
5155
id: setup-python

‎.github/workflows/pr_local_integration_tests.yml‎

Lines changed: 5 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -2,19 +2,18 @@ name: pr-local-integration-tests
22
# This runs local tests with containerized stubs of online stores. This is the main dev workflow
33

44
on:
5-
pull_request_target:
5+
pull_request:
66
types:
77
- opened
88
- synchronize
99
- labeled
1010

1111
jobs:
1212
integration-test-python-local:
13-
# when using pull_request_target, all jobs MUST have this if check for 'ok-to-test' or 'approved' for security purposes.
1413
if:
1514
((github.event.action == 'labeled' && (github.event.label.name == 'approved' || github.event.label.name == 'lgtm' || github.event.label.name == 'ok-to-test')) ||
1615
(github.event.action != 'labeled' && (contains(github.event.pull_request.labels.*.name, 'ok-to-test') || contains(github.event.pull_request.labels.*.name, 'approved') || contains(github.event.pull_request.labels.*.name, 'lgtm')))) &&
17-
github.repository == 'feast-dev/feast'
16+
github.event.pull_request.base.repo.full_name == 'feast-dev/feast'
1817
runs-on: ${{ matrix.os }}
1918
strategy:
2019
fail-fast: false
@@ -27,10 +26,9 @@ jobs:
2726
steps:
2827
- uses: actions/checkout@v4
2928
with:
30-
# pull_request_target runs the workflow in the context of the base repo
31-
# as such actions/checkout needs to be explicit configured to retrieve
32-
# code from the PR.
33-
ref: refs/pull/${{ github.event.pull_request.number }}/merge
29+
repository: ${{ github.event.repository.full_name }} # Uses the full repository name
30+
ref: ${{ github.ref }} # Uses the ref from the event
31+
token: ${{ secrets.GITHUB_TOKEN }} # Automatically provided token
3432
submodules: recursive
3533
- name: Setup Python
3634
uses: actions/setup-python@v5

0 commit comments

Comments
 (0)

Footer

© 2026 GitHub, Inc.