mirror of
https://github.com/espressif/openthread.git
synced 2026-06-05 21:14:49 +00:00
Kevin Zhao
06e2cdbf5c
The size.yml workflow used pull_request_target with git checkout FETCH_HEAD, which replaced the entire working directory (including scripts) with untrusted fork code. Since pull_request_target grants a read/write GITHUB_TOKEN even from public forks, and the workflow had no top-level permissions restriction, this allowed arbitrary code execution with write access to the repository. Fix by: 1. Adding top-level permissions: contents: read (consistent with all other workflows in this repository). 2. Replacing `git checkout FETCH_HEAD` with a fetch-only approach that passes the PR merge commit SHA via the OT_SHA_NEW environment variable. The check-size script uses git-archive to extract code by SHA, so it does not need the working directory to be switched. This ensures ./script/check-size always runs from the base branch. 3. Updating check-size to accept OT_SHA_NEW from the environment, falling back to git rev-parse HEAD when not set (preserving existing behavior for push-triggered and local runs).