root
/
grafana
mirror of https://github.com/grafana/grafana.git
1
0
Fork 0
Code Issues Actions 21 Packages Projects Releases Wiki Activity

Security: Fix actor spoofing vulnerability in Dependabot workflow (#109519) 

Replace github.actor with github.event.pull_request.user.login to prevent
actor context spoofing in pull requests from forks. This ensures only
genuine Dependabot PRs can trigger the workspace update workflow.

Fixes zizmor security finding with Medium confidence level.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-authored-by: Claude <noreply@anthropic.com>
This commit is contained in:
Roberto Jiménez Sánchez 2025-08-12 14:40:03 +02:00 committed by GitHub
parent f2303a8ad9
commit 9b3b6fcdb2
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/pr-dependabot-update-go-workspace.yml vendored
View File

@ -17,7 +17,7 @@ permissions:
jobs:
update:
runs-on: "ubuntu-latest"
if: ${{ github.actor == 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository }}
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository }}
continue-on-error: true
steps:
- name: Retrieve GitHub App secrets