Code Monkey home page Code Monkey logo

Comments (3)

privatenumber avatar privatenumber commented on June 14, 2024

Thanks for the report and for using pkg-size!

I did some Googling for that error message and they all seem to point at a lack of permissions in the token.

Seems this is happening because it was executed via fork as per this security change: announcement, docs

The permissions for the GITHUB_TOKEN in forked repositories is read-only.

There doesn't seem to be an option to further specify allowing comments.

To work around:

  • You can use a Personal Access Token (PAT) and add that to Secrets. The caveat is that the report will be posted by the account that owns the PAT.
  • I'm reading pull_request_target has read + write permissions so it's possible to use that instead of pull_request, but it seems to run in the base context which I haven't tested yet.

from action.

awmleer avatar awmleer commented on June 14, 2024

Thanks for replying!

pull_request_target trigger is in the BASE context. If we checkout the HEAD commit, the PR author may inject some malicious code into the "build" script in package.json, which will be executed by this github action. This is dangerous since the PR author can use the GITHUB_TOKEN with write access to run any script. Here is an official guideline: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

As for the Personal Access Token, it seems to have the same security issue.

The guideline above mentioned a recommended solution: split the action into two parts. One for building, collecting package size data and uploading the result (using the pull_request trigger). And the other for downloading the result and commenting it to PR (using the pull_request_target trigger).

from action.

privatenumber avatar privatenumber commented on June 14, 2024

This seems like a common problem: https://github.community/t/token-permissions-for-forks-once-again/16468/6

It doesn't seem like there's a workaround to post comments from a fork.

I wonder if workflow_dispatch can be used to manually trigger the action on approved PRs.

(FWIW since you seem to be security conscious, in general, using any 3rd party GitHub Action via tag is insecure.)

from action.

Related Issues (17)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.