Summary
Whenever Refresh gets a new release it will use the latest artifact available of refresh-web. The branch to download from is not specified and if a PR is submitted at the right moment during a release, Refresh will download artifacts for actions (if the action is approved to run). This could potentially lead to many things, mainly that anyone can modify the website hosted on lbp.littlebigreresh.com to whatever they wish (if the timing's right and Refresh uses that artifact).
In practice, the outcome is fairly minor as there must be human review before workflows can run on pull requests and malicious code would probably be before workflows are approved.
I've seen this happen already when I published a pull request that made a change to how categories are presented. I noticed that my change was already in effect on the official Refresh instance before my pull request was even reviewed.
Solution
Specify the master
branch in the artifact download job: LittleBigRefresh/Refresh@f6ffaab
Summary
Whenever Refresh gets a new release it will use the latest artifact available of refresh-web. The branch to download from is not specified and if a PR is submitted at the right moment during a release, Refresh will download artifacts for actions (if the action is approved to run). This could potentially lead to many things, mainly that anyone can modify the website hosted on lbp.littlebigreresh.com to whatever they wish (if the timing's right and Refresh uses that artifact).
In practice, the outcome is fairly minor as there must be human review before workflows can run on pull requests and malicious code would probably be before workflows are approved.
I've seen this happen already when I published a pull request that made a change to how categories are presented. I noticed that my change was already in effect on the official Refresh instance before my pull request was even reviewed.
Solution
Specify the
master
branch in the artifact download job: LittleBigRefresh/Refresh@f6ffaab