From aec500ee3b8a2f6985f345db830e183805fb8220 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9sar=20Arroba?= <19954079+cesararroba@users.noreply.github.com> Date: Tue, 30 Jun 2026 18:29:29 +0200 Subject: [PATCH] fix(ci): harden pull_request_target workflows (persist-credentials + toJson) (#11747) --- .github/workflows/pr-conflict-checker.yml | 3 +-- .github/workflows/pr-merged.yml | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pr-conflict-checker.yml b/.github/workflows/pr-conflict-checker.yml index ff3871bf73..e0aba02d48 100644 --- a/.github/workflows/pr-conflict-checker.yml +++ b/.github/workflows/pr-conflict-checker.yml @@ -37,8 +37,7 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 1 - # zizmor: ignore[artipacked] - persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch + persist-credentials: false # No write token in the untrusted PR-head tree; public repo so base fetch/changed-files work unauthenticated - name: Fetch PR base ref for tj-actions/changed-files env: diff --git a/.github/workflows/pr-merged.yml b/.github/workflows/pr-merged.yml index 2a1f3d77f1..fc88a69e08 100644 --- a/.github/workflows/pr-merged.yml +++ b/.github/workflows/pr-merged.yml @@ -56,6 +56,6 @@ jobs: "PROWLER_PR_BODY": ${{ toJson(github.event.pull_request.body) }}, "PROWLER_PR_URL": ${{ toJson(github.event.pull_request.html_url) }}, "PROWLER_PR_MERGED_BY": "${{ github.event.pull_request.merged_by.login }}", - "PROWLER_PR_BASE_BRANCH": "${{ github.event.pull_request.base.ref }}", - "PROWLER_PR_HEAD_BRANCH": "${{ github.event.pull_request.head.ref }}" + "PROWLER_PR_BASE_BRANCH": ${{ toJson(github.event.pull_request.base.ref) }}, + "PROWLER_PR_HEAD_BRANCH": ${{ toJson(github.event.pull_request.head.ref) }} }