alteropen/jellyfin
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2026-02-22 04:22:50 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Mitigate pull_request_target privilege escalation

Browse Source 
Hotfix — replaces pull_request_target with pull_request to stop
granting write permissions and secrets to fork PRs. Some workflows
will break; can be fixed properly later.
This commit is contained in:
Andrew Rabert
2026-02-19 23:53:48 -05:00
parent 6829794aa0
commit 01eb56f047
5 changed files with 9 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.github/workflows/ci-openapi.yml vendored
View File

@@ -5,7 +5,7 @@ on:
- master
tags:
- 'v*'
pull_request_target:
pull_request:
permissions: {}
@@ -78,7 +78,7 @@ jobs:
pull-requests: write
name: OpenAPI - Difference
if: ${{ github.event_name == 'pull_request_target' }}
if: ${{ github.event_name == 'pull_request' }}
runs-on: ubuntu-latest
needs:
- openapi-head
@@ -109,7 +109,7 @@ jobs:
publish-unstable:
name: OpenAPI - Publish Unstable Spec
if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref, 'refs/tags/v') && contains(github.repository_owner, 'jellyfin') }}
if: ${{ github.event_name != 'pull_request' && !startsWith(github.ref, 'refs/tags/v') && contains(github.repository_owner, 'jellyfin') }}
runs-on: ubuntu-latest
needs:
- openapi-head