Suggest replacing `pull_request_target` in branches as well as `main`
forestmonster opened this issue · comments
As in #1790, the same issue can occur in any PRs that were opened before remediation in your main branch. This could mean that other branches are vulnerable. We recommend that you ensure a manual review step remains enabled, and review GitHub's best practices for unprivileged workflows in order to prevent exploitation using Pwn Request. From that document,
All PRs that were opened before a fix was made to the vulnerable workflow will use the version of the workflow as it existed at the time the PR was opened. That means that if there is a pending PR, any updates to the PR may still abuse the vulnerable workflow.