documentation: emphasize the head of a pull request is not trusted

2025-03-14 22:36:58 +01:00 · 2023-11-08 17:20:04 +01:00 · 2023-11-08 17:20:04 +01:00 · e858de5450
commit e858de5450
parent 9e848c27a8
2 changed files with 10 additions and 4 deletions
--- a/README.md
+++ b/README.md
@ -51,8 +51,11 @@ It is recommended that a dedicated user is used to create
 `destination-token` and that `destination-fork-repo` is always used
 unless the users who are able to create pull requests are trusted.

-When the PR is from a forked repository, the `update` script is checked out from
-the default branch instead of the head branch of the fork.
+When the PR is from a forked repository, the `update` script is run
+from the default branch of the base repository instead of the head
+branch of the fork. The pull request author must not be trusted
+and it is imperative that the `update` script never runs anything
+found in the head branch of the pull request.

 If the fork of the destination repository is specified and it does
 not exist, it is created.
--- a/action.yml
+++ b/action.yml
@ -50,8 +50,11 @@ description: |
  `destination-token` and that `destination-fork-repo` is always used
  unless the users who are able to create pull requests are trusted.

-  When the PR is from a forked repository, the `update` script is checked out from
-  the default branch instead of the head branch of the fork.
+  When the PR is from a forked repository, the `update` script is run
+  from the default branch of the base repository instead of the head
+  branch of the fork. The pull request author must not be trusted
+  and it is imperative that the `update` script never runs anything
+  found in the head branch of the pull request.

  If the fork of the destination repository is specified and it does
  not exist, it is created.