<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/77142>77142</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
Split pr-code-format.yml into separate untrusted+trusted workflows
</td>
</tr>
<tr>
<th>Labels</th>
<td>
github:workflow
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
jyknight
</td>
</tr>
</table>
<pre>
The workflow should be split in two, with a "pull_request" workflow (unprivileged) to run formatting actions, and a separate "workflow_run" (privileged) to post the issue update, as recommended by https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
The current implementation is not _obviously_ broken (it's not running binaries from the untrusted checkout), but manipulating the untrusted checkout at all in a privileged context is riskier than necessary, so would be improved by splitting into two parts.
@tstellar @tru @boomanaiden154
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJxsk8GO4zYMhp9GvhAOHMUejw8-zHaRF2jvA8rixNrIkktRSfP2hezJThfdSxQY0k_-Pz9iSu4SiEbVfVPd9wqzzJHHH49rcJdZKhPtY_xrJrhHvn74eIc0x-wtGIK0eifgAsg9Kv0H3J3MgKC0XrP370x_Z0qitP56rPRrDiu7m_N0Iav0ABKBc4CPyAuKuHABnMTFkIokBgsIiVZkFCrST6l3zqFIK_36P701JgGZCVxKmSCvFoU2uQRMU1wWCpYsmAfMImtSpzelz0qfE02ZnTw8msPFyZzNYYqL0memRMjTrPR5_15_NlmvTDcKpe96vYf603Qqes131bztvyXBKTNTEHDL6mmhIFgUwCUIUeA9mpuLOfnHOxiOVwrFmhOl-_0C5xBKOsYFZEcJPjgum8schHMSsjDNNF1jFqWHYtdkgQWDW7PHLdnf3wYUQO_LJBG-woQpBqF_pHTILl0dMciMAQJNlBLyo9RIEe5PINyycrztwW5wbEVdkFgQgRVZ0uG_sai2kSTkPTKU_5zLYWJcMKCzFI5dC_vVyo4nO5wGrGg89k3bDsfhtavmscfW4qlH8zIcaeonM6DphqlDPVhETZUbdaPb5th0-tgNbXfoje1eWttSO3RtY19U29CCzh-8vy2HyJdq42bs-2OrK4-GfNr2Q-t9-Or09sRQaV3Whsfytjb5klTbeJckfamJE0_jn9u2rFxP0VK94354LH7P5yfiP8ej9LfnoJ7FUpXZj78i-wumpeTnUa8cf9AkSp83N4XIzdC_AQAA__93HlxT">