midnightntwrk · gilescope · Sep 4, 2025 · Sep 4, 2025 · Sep 4, 2025 · Sep 4, 2025
@@ -34,10 +34,22 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Check access
-        if: ${{ github.event.pull_request.author_association != 'COLLABORATOR' && github.event.pull_request.author_association != 'OWNER' && github.event.pull_request.author_association != 'MEMBER' }}
+      # From https://michaelheap.com/access-secrets-from-forks/
+      # Also see https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@7b90a27f92f3961b368376107661682c441f6103  #v2
+        with:
+          require: write
+          username: ${{ github.triggering_actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
         run: |
-          echo "This job needs re-running by someone with collaboration permissions."
+          echo "${{ github.triggering_actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          echo "Job originally triggered by ${{ github.actor }}"
           exit 1
 
       # This is dangerous without the first access check
@@ -112,7 +124,7 @@ jobs:
       - uses: actions/upload-artifact@v4
         with:
           name: cx_result-sarif
-          path: cx_result.sarif
+          path: ./cx_result.sarif
 
       # Upload results to github
       - name: Upload SARIF file