ci: add warning to actions with writeable GITHUB_TOKEN

Co-authored-by: ckie <25263210+ckiee@users.noreply.github.com>
2 years ago · 92a720cbac
parent 819debc357
commit 92a720cbac
3 changed files with 16 additions and 0 deletions
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@ -2,6 +2,12 @@ name: Backport
 on:
  pull_request_target:
    types: [closed, labeled]
+
+# WARNING:
+# When extending this action, be aware that $GITHUB_TOKEN allows write access to
+# the GitHub repository. This means that it should not evaluate user input in a
+# way that allows code injection.
+
 jobs:
  backport:
    name: Backport Pull Request
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@ -4,6 +4,11 @@ on:
  pull_request_target:
    types: [edited, opened, synchronize, reopened]

+# WARNING:
+# When extending this action, be aware that $GITHUB_TOKEN allows some write
+# access to the GitHub API. This means that it should not evaluate user input in
+# a way that allows code injection.
+
 permissions:
  contents: read
  pull-requests: write
--- a/.github/workflows/pending-set.yml
+++ b/.github/workflows/pending-set.yml
@ -3,6 +3,11 @@ name: "set pending status"
 on:
  pull_request_target:

+# WARNING:
+# When extending this action, be aware that $GITHUB_TOKEN allows write access to
+# the GitHub repository. This means that it should not evaluate user input in a
+# way that allows code injection.
+
 jobs:
  action:
    runs-on: ubuntu-latest