@qualcomm-linux/camera-driver-maint 👋 This repository uses GitHub Actions' pull_request_target trigger, which is one of the most commonly-abused sources of CI/CD supply chain compromise. We've opened this issue so the maintainers know about it and can plan a fix.
What we found
The following workflow file(s) in this repository use pull_request_target:
Why this matters
Even with "Require approval for all external contributors" enabled for fork pull request workflows, the pull_request_target event bypasses that check and runs immediately -- potentially with write access to the
repository and its secrets. An attacker who opens a PR from a fork can run arbitrary code with your repo's credentials.
See go/github-pull-request-target for background, common pitfalls, and secure alternatives.
What we've done in the meantime
As a precaution, we've limited pull request creation on this repository to collaborators (members with write access) until the workflow is fixed. External contributors will not be able to open new PRs against this repo until the restriction is lifted.
Heads up: Qualcomm preflight workflow detected
One or more of the workflows above is a copy of qcom-preflight-checks.yml, which is maintained by our team. Older versions of this workflow used pull_request_target and are the most likely source of this finding.
Please update to the latest version, which no longer uses pull_request_target:
https://github.com/qualcomm/qcom-actions/blob/main/.github/workflows/qcom-preflight-checks.yml
In many cases we've already opened a pull request against this repository with the updated workflow -- please review and merge it at your earliest convenience. If the update isn't picked up in a reasonable timeframe, our team may need to merge the PR on your behalf or apply additional restrictions to keep the repository safe.
If you've already updated and are still seeing the finding, let us know at go/ossops.
What we'd like you to do
- Review the workflow file(s) above.
- Either remove the
pull_request_target usage, or refactor it to follow the safe patterns at go/github-pull-request-target.
- When you're ready to re-enable external PRs (or if you believe this is a false positive), open a Support Issue at go/ossops and we'll restore PR creation for non-collaborators.
Heads up: this was filed by automation
This issue was filed automatically by OSSOPS Automation. It may occasionally flag valid or already-reviewed usage -- for example:
- Uses of
pull_request_target that have been pre-cleared with OSSOPS.
- Forks of upstream projects where the workflow is inherited and out of your control.
If either applies, please reach out at go/ossops for assistance and we'll mark this repo as reviewed.
We're also exploring additional security measures to further harden GitHub Actions and CI usage org-wide; expect follow-ups in this space.
Filed by OSSOPS Automation. Questions or false positives: go/ossops.
@qualcomm-linux/camera-driver-maint 👋 This repository uses GitHub Actions'
pull_request_targettrigger, which is one of the most commonly-abused sources of CI/CD supply chain compromise. We've opened this issue so the maintainers know about it and can plan a fix.What we found
The following workflow file(s) in this repository use
pull_request_target:.github/workflows/qcom-preflight-checks.yml(Qualcomm preflight workflow)Why this matters
Even with "Require approval for all external contributors" enabled for fork pull request workflows, the
pull_request_targetevent bypasses that check and runs immediately -- potentially with write access to therepository and its secrets. An attacker who opens a PR from a fork can run arbitrary code with your repo's credentials.
See go/github-pull-request-target for background, common pitfalls, and secure alternatives.
What we've done in the meantime
As a precaution, we've limited pull request creation on this repository to collaborators (members with write access) until the workflow is fixed. External contributors will not be able to open new PRs against this repo until the restriction is lifted.
Heads up: Qualcomm preflight workflow detected
One or more of the workflows above is a copy of
qcom-preflight-checks.yml, which is maintained by our team. Older versions of this workflow usedpull_request_targetand are the most likely source of this finding.Please update to the latest version, which no longer uses
pull_request_target:https://github.com/qualcomm/qcom-actions/blob/main/.github/workflows/qcom-preflight-checks.yml
In many cases we've already opened a pull request against this repository with the updated workflow -- please review and merge it at your earliest convenience. If the update isn't picked up in a reasonable timeframe, our team may need to merge the PR on your behalf or apply additional restrictions to keep the repository safe.
If you've already updated and are still seeing the finding, let us know at go/ossops.
What we'd like you to do
pull_request_targetusage, or refactor it to follow the safe patterns at go/github-pull-request-target.Heads up: this was filed by automation
This issue was filed automatically by OSSOPS Automation. It may occasionally flag valid or already-reviewed usage -- for example:
pull_request_targetthat have been pre-cleared with OSSOPS.If either applies, please reach out at go/ossops for assistance and we'll mark this repo as reviewed.
We're also exploring additional security measures to further harden GitHub Actions and CI usage org-wide; expect follow-ups in this space.
Filed by OSSOPS Automation. Questions or false positives: go/ossops.