fix(security): PR Previews from Forks

[AdrianGonz97]

The Issue

Hey! I'm the maintainer of the Github Action refined-cf-pages-action and we were recently made aware of a security vulnerability regarding the pull_request_target workflow event where it's possible to leak secrets (including the CF credentials used in the action) through a Github Actions exploit when running untrusted code. Unfortunately, our previous recommendation for the setup of the PR Previews from Forks feature included the use of this workflow event type without PR approvals, which has now been updated.

I'm going around to all of the dependents of the action that are using the PR Previews from Forks feature to apply the fix.

The Fix

We've come up with an alternate method that is safer to use and will resolve this issue entirely.

Rather than using pull_request_target, which runs in a privileged environment (meaning that repository secrets can be used in it), previews will now be deployed in two stages:

1. The first stage (build-preview.yml) will use the pull_request event, which runs in an unprivileged environment, making it safe to run untrusted code. The site will be built in this stage and the build directory will be uploaded to Github as an artifact.
2. The second stage (deploy-preview.yml) will use the workflow_run event, which runs in a privileged environment where its only job will be to download the build artifact and then run the refined-cf-pages-action action to upload the build files to Cloudflare Pages for preview deployment.

---

And that's it! No further actions are necessary.

Thanks for your time!

[github-actions]

built with Refined Cloudflare Pages Action

⚡ Cloudflare Pages Deployment

Name	Status	Preview	Last Commit
papermc-website	🔨 Building (View Log)		1e3609d

[MiniDigger]

no longer relevant