mirror of
https://github.com/avelino/awesome-go.git
synced 2026-03-31 08:24:38 +00:00
24273bf86b
The pull_request_target workflow checked out and executed Go scripts from the PR head, allowing attackers to inject arbitrary code via init() functions with access to a write-scoped GITHUB_TOKEN. This was confirmed exploited in the wild (ref: StepSecurity blog). Checkout now targets the base branch so only trusted scripts execute. PR head SHA is fetched as data-only for diffing via a new PR_HEAD_SHA env var. Write operations (comments, labels) are isolated in a separate report job that never checks out code. All job permissions follow least privilege — quality runs read-only, report holds the write token. fixed: #6083 Signed-off-by: Avelino <31996+avelino@users.noreply.github.com> Co-Authored-By: Thierry Abalea <thierry.abalea@shipfox.io>
13 lines
123 B
Plaintext
13 lines
123 B
Plaintext
out/
|
|
awesome-go
|
|
.cache/
|
|
check-*
|
|
|
|
# Folders
|
|
.idea
|
|
.vscode
|
|
test_stale_repositories_log
|
|
*.exe
|
|
# Local Netlify folder
|
|
.netlify
|