diff --git a/dist/index.js b/dist/index.js index b0f11a1..5fc2806 100644 --- a/dist/index.js +++ b/dist/index.js @@ -2833,9 +2833,9 @@ function assertSafePrCheckout(input) { throw new Error(`Refusing to check out fork pull request code from a '${eventName}' workflow. ` + `This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` + `cache scope, and runner access. Fetching and executing a fork's code in that trusted ` + - `context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` + - `the risks at https://gh.io/securely-using-pull_request_target, set ` + - `'allow-unsafe-pr-checkout: true' on the actions/checkout step.`); + `context commonly leads to "pwn request" vulnerabilities. To opt in, review the risks ` + + `at https://gh.io/securely-using-pull_request_target and set 'allow-unsafe-pr-checkout: true' ` + + `on the actions/checkout step.`); } function pushIfSha(target, value) { if (typeof value === 'string' && value.length > 0) { diff --git a/src/unsafe-pr-checkout-helper.ts b/src/unsafe-pr-checkout-helper.ts index efc0ef6..f6bf389 100644 --- a/src/unsafe-pr-checkout-helper.ts +++ b/src/unsafe-pr-checkout-helper.ts @@ -75,9 +75,9 @@ export function assertSafePrCheckout(input: IUnsafePrCheckoutInput): void { `Refusing to check out fork pull request code from a '${eventName}' workflow. ` + `This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` + `cache scope, and runner access. Fetching and executing a fork's code in that trusted ` + - `context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` + - `the risks at https://gh.io/securely-using-pull_request_target, set ` + - `'allow-unsafe-pr-checkout: true' on the actions/checkout step.` + `context commonly leads to "pwn request" vulnerabilities. To opt in, review the risks ` + + `at https://gh.io/securely-using-pull_request_target and set 'allow-unsafe-pr-checkout: true' ` + + `on the actions/checkout step.` ) }