update (#1031)

Signed-off-by: laurentsimon <laurentsimon@google.com> Signed-off-by: laurentsimon <laurentsimon@google.com>
ossf · Dec 9, 2022 · 420fff2 · 420fff2
1 parent 8d8c1ec
commit 420fff2
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 83 deletions.
diff --git a/main.go b/main.go
@@ -24,6 +24,12 @@ import (
 )
 
 func main() {
+	triggerEventName := os.Getenv("GITHUB_EVENT_NAME")
+	if triggerEventName == "pull_request_target" {
+		log.Fatalf("pull_request_target trigger is not supported for security reasons" +
+			"see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/")
+	}
+
 	action, err := entrypoint.New()
 	if err != nil {
 		log.Fatalf("creating scorecard entrypoint: %v", err)
@@ -35,7 +41,7 @@ func main() {
 
 	if os.Getenv(options.EnvInputPublishResults) == "true" &&
 		// `pull_request` do not have the necessary `token-id: write` permissions.
-		os.Getenv("GITHUB_EVENT_NAME") != "pull_request" {
+		triggerEventName != "pull_request" {
 		// Get json results by re-running scorecard.
 		jsonPayload, err := signing.GetJSONScorecardResults()
 		if err != nil {

diff --git a/starter-workflows/code-scanning/properties/scorecards.properties.json b/starter-workflows/code-scanning/properties/scorecards.properties.json
diff --git a/starter-workflows/code-scanning/scorecards.yml b/starter-workflows/code-scanning/scorecards.yml