Skip to main content

Prevent workflows from being tampered using pull_request_target

Terraform Workflows requires strong permissions to manage resources, so it's important to prevent workflows from being tampered in terms of security. So we recommend using pull_request_target event instead of pull_request event. For the detail, please see the blog post.

Secure GitHub Actions by pull_request_target | dev.to

To use pull_request_target, you need to fix workflow files.

  1. Fix actions/checkout's ref
  2. Set the merge commit hash to the environment variables GH_COMMENT_SHA1 and TFCMT_SHA for github-comment and tfcmt
  3. Fix OIDC settings
  4. Stop executing feature branches' scripts and actions

Please see the above blog post and tfaction-example.

ci: use pull_request_target | suzuki-shunsuke/tfaction-example#2056