Why is the pull_request_target trigger considered dangerous?

It runs in the base repository context with full access to secrets. If a workflow checks out and executes code from a fork using this trigger, an attacker can exfiltrate credentials or compromise the repository.

How does Two-Stage Fork CI improve security?

It separates untrusted testing (using the pull_request trigger without secrets) from privileged operations like commenting (using the workflow_run trigger), creating a security boundary between fork code and repository access.

When should I use pull_request vs pull_request_target?

Use pull_request for testing, linting, and building untrusted code. Use pull_request_target only for tasks that require repository context but do not execute code from the PR, such as labeling or commenting.

What is an approval gate in GitHub Actions?

An approval gate uses GitHub Environments to require a manual review from a maintainer before a workflow can access secrets or deploy code, preventing automated attacks from forks.

GitHub Actions Trigger Security

Name: GitHub Actions Trigger Security
Author: adaptive-enforcement-lab

byadaptive-enforcement-lab

セキュリティとテスト

Secures GitHub Actions workflows by implementing safe trigger patterns for pull requests and forks to prevent privilege escalation and secret exfiltration.

概要

This skill provides expert guidance and implementation patterns for securing GitHub Actions triggers, specifically addressing high-risk configurations like pull_request_target. It helps developers implement robust security boundaries by using two-stage CI processes, approval gates for fork deployments, and least-privilege permission sets. By following these patterns, teams can safely accept community contributions while protecting their repository secrets and infrastructure from malicious code injection.

主な機能

Secure Two-Stage Fork CI patterns
Least-privilege GITHUB_TOKEN configuration
Manual approval gates for fork deployments
Detailed comparison of pull_request vs pull_request_target
0 GitHub stars
Defense patterns against credential exfiltration

ユースケース

Safely running tests on community contributions from forks
Hardening CI/CD pipelines against privilege escalation attacks
Implementing secure preview deployments for pull requests

概要

主な機能

Secure Two-Stage Fork CI patterns
Least-privilege GITHUB_TOKEN configuration
Manual approval gates for fork deployments
Detailed comparison of pull_request vs pull_request_target
0 GitHub stars
Defense patterns against credential exfiltration

ユースケース

Safely running tests on community contributions from forks
Hardening CI/CD pipelines against privilege escalation attacks
Implementing secure preview deployments for pull requests