diff --git a/.github/workflows/trigger-pr-review-fork.yml b/.github/workflows/trigger-pr-review-fork.yml deleted file mode 100644 index df366198..00000000 --- a/.github/workflows/trigger-pr-review-fork.yml +++ /dev/null @@ -1,39 +0,0 @@ -# ⚠️ SECURITY WARNING — READ BEFORE USING -# -# This workflow uses the `pull_request_target` trigger so that it runs in the -# context of the *base* repository and has access to repository secrets. -# That makes it work for pull requests from forks, which do NOT have access -# to secrets when triggered by the standard `pull_request` event. -# -# RISKS ON PUBLIC REPOSITORIES -# • `pull_request_target` grants access to secrets even for untrusted forks. -# • If you add `setup-commands` that execute code from the pull request, a -# malicious fork could exfiltrate your secrets. -# • The agent itself does NOT check out PR code — it reads the diff via the -# GitHub API — so it is safe in the default configuration. Any change to -# `setup-commands` that runs fork code breaks that guarantee. -# -# RECOMMENDATION -# • Only use this trigger on PRIVATE repositories, or on public repositories -# where every contributor is explicitly trusted. -# • Never pass `setup-commands` that check out or execute code from the PR. -# • Prefer the standard `pull_request` trigger (pr-review/example.yml) for -# public repositories. -name: Trigger PR Review (Fork) -on: - pull_request_target: - types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled] - -permissions: - contents: read - issues: read - pull-requests: write - -jobs: - run: - if: >- - github.event.pull_request.draft == false && - !contains(github.event.pull_request.labels.*.name, 'skip-auto-pr-review') - uses: ./.github/workflows/gh-aw-pr-review.lock.yml - secrets: - COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }} diff --git a/scripts/dogfood.sh b/scripts/dogfood.sh index 725b91c4..336e6df9 100755 --- a/scripts/dogfood.sh +++ b/scripts/dogfood.sh @@ -20,6 +20,7 @@ cd "$REPO_ROOT" EXCLUDED_WORKFLOWS=( "flaky-test-triage" "issue-triage-pr" + "pr-review-fork" ) echo "Syncing workflow files..." @@ -36,7 +37,7 @@ for f in gh-agent-workflows/*/example.yml; do done if [[ "$skip" == "true" ]]; then rm -f ".github/workflows/trigger-$dir.yml" - echo " ✗ gh-agent-workflows/$dir/example.yml (excluded)" + echo " ✗ gh-agent-workflows/$dir/example.yml (excluded — manual sync required)" continue fi sed 's|uses: elastic/ai-github-actions/\(.*\)@v0|uses: ./\1|; s|^name: |name: Trigger |' "$f" \