Skip to content

Add CI security blog post and remove legacy pull_request_target workflow#900

Open
osterman wants to merge 5 commits intomasterfrom
osterman/ci-security-blog
Open

Add CI security blog post and remove legacy pull_request_target workflow#900
osterman wants to merge 5 commits intomasterfrom
osterman/ci-security-blog

Conversation

@osterman
Copy link
Copy Markdown
Member

@osterman osterman commented Apr 13, 2026

what

  • Added a changelog blog post disclosing the hardening of PR preview workflows following a responsible security disclosure by researcher Aviv Donenfeld
  • Removed the last remaining pull_request_target-based workflow (atmos-terraform-plan.yaml) from examples/legacy/snippets/
  • Updated package-lock.json with peer dependency annotations

why

  • A responsible disclosure identified that pull_request_target workflows can bypass PR approval gates when they execute code influenced by untrusted PRs
  • This was the last instance of the pattern in the organization — removing it completes the phase-out
  • The blog post provides transparency and links to upstream GitHub guidance for customers and the community

references

@osterman @claude
Add CI security blog post and remove legacy pull_request_target workflow
a97e850 
Adds a changelog blog post about hardening PR preview workflows following a responsible
disclosure, removes the last remaining pull_request_target-based workflow, and updates
package-lock.json.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@osterman @claude
Rewrite legacy plan workflow to use pull_request trigger and environment
c3679a4 
Instead of deleting the legacy workflow, rewrite it to demonstrate the secure
pattern: use `pull_request` instead of `pull_request_target`, add a `plan`
environment for approval gating, and use `github.sha` instead of the PR head ref.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@osterman @claude
Point legacy GitOps docs to Atmos Native CI
043a627 
Restore the Atmos Terraform Plan section in example-workflows.mdx now that the
workflow has been rewritten to use pull_request + environment instead of
pull_request_target.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@osterman