Skip to content

chore(ci): Explain usage of pull_request_target#1760

Merged
Tobbe merged 1 commit into
mainfrom
tobbe-chore-require-milestone-workflow-explanation
May 12, 2026
Merged

chore(ci): Explain usage of pull_request_target#1760
Tobbe merged 1 commit into
mainfrom
tobbe-chore-require-milestone-workflow-explanation

Conversation

@Tobbe
Copy link
Copy Markdown
Member

@Tobbe Tobbe commented May 12, 2026

In the light of this https://tanstack.com/blog/npm-supply-chain-compromise-postmortem I wanted to audit our codebase. Everything looks good, but pull_request_target is always a little bit scary, so I added some more comments explaining how we use it in a safe way

@netlify
Copy link
Copy Markdown

netlify Bot commented May 12, 2026
edited
Loading

Deploy Preview for cedarjs canceled.

Name Link
🔨 Latest commit 91badd8
🔍 Latest deploy log https://app.netlify.com/projects/cedarjs/deploys/6a033f139e94830008a06a10

@github-actions github-actions Bot added this to the chore milestone May 12, 2026
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps Bot commented May 12, 2026

Greptile Summary

This PR adds detailed inline comments to .github/workflows/require-milestone.yml explaining why pull_request_target is used and how it is kept secure, motivated by a supply-chain security audit after the TanStack npm compromise. No workflow logic, steps, or permissions were changed.

  • pull_request routing: comments clarify that same-repo PRs use the PR branch's code so workflow changes can be tested before merging, with pull-requests: write being the narrowest permission needed.
  • pull_request_target routing: comments document the two critical safety properties — the checkout never targets the fork's merge ref, and the local milestone action only reads PR metadata and calls the GitHub API (never executing fork-controlled code).
  • Project overview doc (docs/implementation-docs/2026-03-26-cedarjs-project-overview.md) was reviewed per the repository owner's instruction and its contents remain factually accurate; this PR does not affect it.

Confidence Score: 5/5

This PR is safe to merge — it is a comment-only change with no modifications to workflow logic, permissions, or actions.

Only YAML comments were added or rewritten; the if: condition, permissions block, steps, and all action references are identical to the base branch. The security reasoning in the new comments accurately describes the existing workflow's safety properties.

No files require special attention.

Important Files Changed

Filename Overview
.github/workflows/require-milestone.yml Documentation-only change — expands inline comments to explain the security model behind using pull_request_target safely; no functional changes to the workflow logic or steps.

Reviews (1): Last reviewed commit: "chore(ci): Explain usage of pull_request..." | Re-trigger Greptile

@Tobbe Tobbe merged commit 4970216 into main May 12, 2026
33 checks passed
@Tobbe Tobbe deleted the tobbe-chore-require-milestone-workflow-explanation branch May 12, 2026 15:06
Tobbe added a commit that referenced this pull request May 12, 2026
@Tobbe
chore(ci): Explain usage of pull_request_target (#1760)
a45dec0 
In the light of this
https://tanstack.com/blog/npm-supply-chain-compromise-postmortem I
wanted to audit our codebase. Everything looks good, but
`pull_request_target` is always a little bit scary, so I added some more
comments explaining how we use it in a safe way
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

chore

Development

Successfully merging this pull request may close these issues.

1 participant

@Tobbe