Skip to content

Disable pr-tools.yml due to security vulnerability#1996

Merged
jminor merged 1 commit intoAcademySoftwareFoundation:mainfrom
jminor:remove-vuln
Mar 3, 2026
Merged

Disable pr-tools.yml due to security vulnerability#1996
jminor merged 1 commit intoAcademySoftwareFoundation:mainfrom
jminor:remove-vuln

Conversation

@jminor
Copy link
Collaborator

@jminor jminor commented Mar 3, 2026

It has been brought to our attention that use of pull_request_target creates an opportunity for bad actors to do damage by posting pull requests that run undesirable code within this project's base repo. This PR disables the one workflow that uses that feature.

I opted to leave that code in place, just commented out, in the hopes that some alternate safer implementation becomes available.

Read more here:

@jminor
Disable pr-tools.yml due to security vulnerability in `pull_request_t…
d772c15 
…arget`

Signed-off-by: Joshua Minor <jminor@users.noreply.github.com>
@jminor jminor requested a review from jhodges10 March 3, 2026 04:35
@github-actions github-actions bot added the ci label Mar 3, 2026
@jminor
Copy link
Collaborator Author

jminor commented Mar 3, 2026

FYI, we have some limited protection from this attack due to this setting on the repo which requires a maintainer to approve actions from new contributors, but a misleading PR could trick someone into allowing it to run.
image

@codecov-commenter
Copy link

codecov-commenter commented Mar 3, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.15%. Comparing base (f3cb304) to head (d772c15).

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##             main    #1996   +/-   ##
=======================================
  Coverage   85.15%   85.15%           
=======================================
  Files         181      181           
  Lines       12783    12783           
  Branches     1206     1206           
=======================================
  Hits        10885    10885           
  Misses       1715     1715           
  Partials      183      183
Flag Coverage Δ
py-unittests 85.15% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f3cb304...d772c15. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

darbyjohnston
darbyjohnston approved these changes Mar 3, 2026
View reviewed changes
Copy link
Contributor

@darbyjohnston darbyjohnston left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jminor jminor merged commit 39dd36c into AcademySoftwareFoundation:main Mar 3, 2026
56 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@darbyjohnston darbyjohnston darbyjohnston approved these changes

@jhodges10 jhodges10 Awaiting requested review from jhodges10

@JeanChristopheMorinPerso JeanChristopheMorinPerso Awaiting requested review from JeanChristopheMorinPerso

Assignees

No one assigned

Labels

ci

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jminor @codecov-commenter @darbyjohnston