respond to pull_request_target concerns (#247)

bmw · web-flow · commit f44962a34d5a · 2025-11-24T16:07:58.000-08:00
diff --git a/.github/workflows/assigned.yaml b/.github/workflows/assigned.yaml
@@ -3,11 +3,22 @@ name: Issue Assigned
 on:
   issues:
     types: [assigned]
+permissions: {}  # let's not use any permissions we don't need here
 jobs:
   send-mattermost-message:
     runs-on: ubuntu-latest
     steps:
-    - uses: mattermost/action-mattermost-notify@master
+    # issue triggers in github actions can be dangerous like
+    # pull_request_target because they run with additional privileges in an
+    # environment containing values that can be controlled by an attacker.
+    # because of this, please take extra caution when modifying the steps taken
+    # by this workflow. for additional information, see
+    # https://github.com/certbot/certbot/pull/10490
+    #
+    # we pin this action to a version tested and audited by certbot's
+    # maintainers for extra security. the full hash is used as doing so is
+    # recommended by zizmor
+    - uses: mattermost/action-mattermost-notify@b7d118e440bf2749cd18a4a8c88e7092e696257a
       with:
         MATTERMOST_WEBHOOK_URL: ${{ secrets.MATTERMOST_ASSIGN_WEBHOOK }}
         TEXT: >
diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml
@@ -8,7 +8,7 @@ on:
   schedule:
     # Run at 4pm UTC or 9am PST
     - cron: "0 16 * * *"
-
+permissions: {}  # let's not use any permissions we don't need here
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -64,6 +64,9 @@ jobs:
         run: |
           WORKFLOW_RUN_URL="$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
           echo "{\"text\":\"** :warning: $GITHUB_REPOSITORY: Build failed :warning: ** | [(see details)]($WORKFLOW_RUN_URL) \"}" > mattermost.json
-      - uses: mattermost/action-mattermost-notify@main
+      # we pin this action to a version tested and audited by certbot's
+      # maintainers for extra security. the full hash is used as doing so is
+      # recommended by zizmor
+      - uses: mattermost/action-mattermost-notify@b7d118e440bf2749cd18a4a8c88e7092e696257a
         env:
           MATTERMOST_WEBHOOK_URL: ${{ secrets.MATTERMOST_WEBHOOK_URL }}
diff --git a/.github/workflows/merged.yaml b/.github/workflows/merged.yaml
@@ -5,12 +5,23 @@ on:
     types:
       - closed
 
+permissions: {}  # let's not use any permissions we don't need here
 jobs:
   if_merged:
     if: github.event.pull_request.merged == true
     runs-on: ubuntu-latest
     steps:
-    - uses: mattermost/action-mattermost-notify@master
+    # github actions workflows triggered by pull_request_target can be
+    # dangerous because they run with additional privileges in an environment
+    # containing values that can be controlled by an attacker. because of
+    # this, please take extra caution when modifying the steps taken by this
+    # workflow. for additional information, see
+    # https://github.com/certbot/certbot/pull/10490
+    #
+    # we pin this action to a version tested and audited by certbot's
+    # maintainers for extra security. the full hash is used as doing so is
+    # recommended by zizmor
+    - uses: mattermost/action-mattermost-notify@b7d118e440bf2749cd18a4a8c88e7092e696257a
       with:
         MATTERMOST_WEBHOOK_URL: ${{ secrets.MATTERMOST_MERGE_WEBHOOK }}
         TEXT: >
diff --git a/.github/workflows/review_requested.yaml b/.github/workflows/review_requested.yaml
@@ -3,13 +3,24 @@ name: Review Requested
 on:
   pull_request_target:
     types: [review_requested]
+permissions: {}  # let's not use any permissions we don't need here
 jobs:
   send-mattermost-message:
     # Don't notify for the interim step of certbot/eff-devs being assigned
     if: ${{ github.event.requested_reviewer.login != ''}}
     runs-on: ubuntu-latest
     steps:
-    - uses: mattermost/action-mattermost-notify@master
+    # github actions workflows triggered by pull_request_target can be
+    # dangerous because they run with additional privileges in an environment
+    # containing values that can be controlled by an attacker. because of
+    # this, please take extra caution when modifying the steps taken by this
+    # workflow. for additional information, see
+    # https://github.com/certbot/certbot/pull/10490
+    #
+    # we pin this action to a version tested and audited by certbot's
+    # maintainers for extra security. the full hash is used as doing so is
+    # recommended by zizmor
+    - uses: mattermost/action-mattermost-notify@b7d118e440bf2749cd18a4a8c88e7092e696257a
       with:
         MATTERMOST_WEBHOOK_URL: ${{ secrets.MATTERMOST_ASSIGN_WEBHOOK }}
         TEXT: >
