fix: remove untrusted checkout in pr-labelling workflow#1867
Merged
markscott-ms merged 1 commit intofinos:mainfrom Nov 27, 2025
Merged
Conversation
Removes the explicit checkout of the PR head SHA in the pull_request_target workflow to prevent potential code execution from untrusted PRs. The labeler action uses GitHub API to detect changed files, so it only needs the labeler config from the trusted base branch. Fixes code scanning alert finos#51 (CWE-829)
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses a security vulnerability (CWE-829) in the pull_request_target workflow by removing the explicit checkout of the untrusted PR head SHA. The pull_request_target event runs in the context of the base branch, and checking out untrusted code can enable malicious code execution. Since the labeler action uses the GitHub API to detect changed files rather than examining the local filesystem, it only requires access to the labeler configuration from the trusted base branch.
- Removed the
refparameter from the checkout action to prevent checking out untrusted PR code - Maintains labeler functionality while eliminating the security risk
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.
markscott-ms
approved these changes
Nov 27, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Removes the explicit checkout of the PR head SHA in the pull_request_target
workflow to prevent potential code execution from untrusted PRs.
The labeler action uses GitHub API to detect changed files, so it only
needs the labeler config from the trusted base branch.
Fixes code scanning alert #51 (CWE-829)
https://github.com/finos/architecture-as-code/security/code-scanning/51
Type of Change
Affected Components
cli/)shared/)calm-widgets/)calm-hub/)calm-hub-ui/)docs/)calm-plugins/vscode/)Commit Message Format ✅
Testing
Checklist