9. Use pull_request_target in shim workflows
Date: 2026-04-02
Status
Accepted
Context
The shim workflow in enrolled repos (.github/workflows/fullsend.yaml) references FULLSEND_DISPATCH_TOKEN to trigger agent dispatch. Using pull_request as the trigger means a malicious PR could modify the workflow file to exfiltrate this token — pull_request runs the PR branch version of the workflow. Using pull_request_target runs the base branch version, so PR authors cannot alter the workflow that executes.
Decision
Use pull_request_target for PR-related events in the shim workflow. The shim never checks out PR code — it is a static curl call that forwards event metadata to the dispatch workflow in .fullsend.
Why this is safe despite pull_request_target's reputation: The "pwn request" vulnerability class requires pull_request_target combined with checkout of untrusted code and execution of that code. Our shim does none of that — it reads only github.event_name, github.repository, and toJSON(github.event) from the event context, then curls the dispatch endpoint. No checkout, no build, no script execution from the PR.
Residual risk: A compromised dispatch token could trigger workflow_dispatch events on .fullsend. This is a DoS vector (burn Actions minutes) but not credential theft — the dispatch workflow reads its own repo secrets, and the caller cannot influence which secrets are accessed. This risk is acceptable.
CODEOWNERS on the shim workflow path provides defense-in-depth: even if an attacker could somehow modify the base branch workflow, the change requires human approval.
Alternatives considered:
pull_request— exposes the dispatch token to PR-authored workflow modifications. Rejected.- No token / webhook-based dispatch — requires a hosted webhook receiver, breaking compute-platform agnosticism. Rejected.
- Org-level
pull_request_targetprohibition — some orgs disablepull_request_targetvia repository rulesets. Document as a known configuration requirement for adopters.
Consequences
- PR authors cannot modify the shim workflow to exfiltrate the dispatch token.
- The shim must never be extended to checkout PR code — this invariant must be maintained as the shim evolves.
- Orgs with blanket
pull_request_targetprohibitions must allowlist the shim workflow. - Security auditors reviewing the repo will flag
pull_request_target— the shim's inline comments explain why it is safe.
