ci: build: Enable build on PR and prevent use of pull_request_target

rzr · rzr · commit 7c4a093642fd · 2025-06-02T17:34:32.000+02:00
Also added comment to prevent privileges escalation using pull_request_target (see related change) Relate-to:SiliconLabsSoftware#67 Relate-to: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ Signed-off-by: Philippe Coval <philippe.coval@silabs.com>
diff --git a/.github/workflows/build-rootfs.yml b/.github/workflows/build-rootfs.yml
@@ -3,6 +3,7 @@
 name: z-wave-protocol-controller Build in rootfs for arch
 
 on:  # yamllint disable-line rule:truthy
+  # pull_request_target: # Avoid to prevent CodeQL CWE-829
   push:
     tags:
       - '*'
@@ -18,6 +19,9 @@ jobs:
           - arm64
           # - armhf # TODO Enable when supported
     steps:
+      - name: Security check
+        if: ${{ github.event.action == 'pull_request_target'}}
+        run: echo "Prevent running (CodeQL CWE-829)" && exit 1
       # yamllint disable-line rule:line-length
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -6,6 +6,8 @@
 name: build
 
 on:  # yamllint disable-line rule:truthy
+  pull_request:
+  # pull_request_target: # Avoid to prevent CodeQL CWE-829
   push:
 
 jobs:
@@ -16,6 +18,9 @@ jobs:
       project-name: z-wave-protocol-controller  # Align to docker (lowercase)
     runs-on: ubuntu-22.04
     steps:
+      - name: Security check
+        if: ${{ github.event.action == 'pull_request_target'}}
+        run: echo "Prevent running (CodeQL CWE-829)" && exit 1
       # yamllint disable-line rule:line-length
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -9,6 +9,7 @@ name: test
 run-name: "test: ${{ github.event.workflow_run.head_branch }}#${{ github.event.workflow_run.head_commit.id }}"
 
 on:  # yamllint disable-line rule:truthy
+  # pull_request_target: # Avoid to prevent CodeQL CWE-829
   workflow_run:
     workflows: ["build"]
     types:
@@ -24,6 +25,9 @@ jobs:
     runs-on: ubuntu-24.04
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     steps:
+      - name: Security check
+        if: ${{ github.event.action == 'pull_request_target'}}
+        run: echo "Prevent running (CodeQL CWE-829)" && exit 1
       - name: Download image
         id: image
         # yamllint disable-line rule:line-length
