Forgejo Actions | Security of Pull Requests

A pull request may contain code that changes what is run by Forgejo Actions, for instance if it modifies a file in the .forgejo/workflows directory. When such a pull request originates from a fork of a public repository on a Forgejo instance with open registration, the author may be a malicious user.

Users with elevated permissions on a repository can approve or deny workflows run from pull requests created from a forked repository by using the pull request conversation page.

Trust management

Trust is either granted or denied to the author of a pull request.

trust management area

When using the Approve once button, all pending workflows will be allowed to run. However future workflows will need another manual approval (for instance if a new commit is pushed to the same pull request).

Using the Approve always button will trust the author of the pull request to always run workflows on this repository.

It will be possible to revoke that trust at any time.

revoke trust

The page displaying the run of each blocked workflow shows a link to the trust management area of the pull request.

run pending approval link

Which users need approval?

The users who have elevated permissions on the repository do not need approval, even if they author a pull request from a forked repository. That includes:

  • Collaborators with write access
  • Team members with write permissions on the Actions unit
  • Instance admins

All other users need their pull request approved when they originate from a fork of the repository.

The author of a pull request is trusted with all commits they push to their pull request, even if they did not author such commits. For instance, if a pull request is from a branch of a repository to which multiple users are allowed to push they are also implicitly trusted if the author of the pull request is trusted.

What pull requests need approval?

Assuming the author of a pull request is not implicitly trusted because of their elevated permissions, approval will be required for pull requests that are:

  • from a fork of the repository
  • created using the AGit workflow

Which user can grant approval?

Trust management is available to users who are:

  • Team members with write permissions on the Actions unit
  • Owners of the repository
  • Instance admins

Which workflow files are used?

When a trusted user submits a pull request, the workflows found in the .forgejo/workflows directory are used (with the exception of pull_request_target events).

If the pull request is not from a trusted user, the workflows found in the target of the pull request will be used instead.

A concrete use case is to allow the repository owner to set a label on a pull request from an untrusted user without having to verify if the pull request contains a malicious workflow.

Trust expiration

When a permanently trusted user has not submitted a pull request for over three month, the trust they may have been granted on a given repository will be automatically revoked.

Blocked users

When a user is blocked, the trust they were granted on all repositories owned by the user doing the blocking will be revoked.

All workflow runs created on their behalf on those repositories will be canceled.

This page's content is available under the CC-BY-SA-4.0 license.
Edit this page