From 59aee1ca5d7b0cf324372795990e2d84d7cc61c1 Mon Sep 17 00:00:00 2001
From: Silvan Mosberger <nca@infinisil.com>
Date: Sat, 26 Oct 2024 15:01:12 +0200
Subject: [PATCH] workflows/codeowners: Fix security issue

Co-Authored-By: 13x1 <tori@disroot.org>
Co-Authored-By: basti564 <e3e@disroot.org>
---
 .github/workflows/codeowners.yml | 30 +++++++++++++++++++++---------
 1 file changed, 21 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/codeowners.yml b/.github/workflows/codeowners.yml
index 9d781c6ef080..1e2e5c9304ac 100644
--- a/.github/workflows/codeowners.yml
+++ b/.github/workflows/codeowners.yml
@@ -1,12 +1,24 @@
 name: Codeowners
 
-# This workflow depends on a GitHub App with the following permissions:
-# - Repository > Administration: read-only
-# - Organization > Members: read-only
-# - Repository > Pull Requests: read-write
-# The App needs to be installed on this repository
-# the OWNER_APP_ID repository variable needs to be set
-# the OWNER_APP_PRIVATE_KEY repository secret needs to be set
+# This workflow depends on two GitHub Apps with the following permissions:
+# - For checking code owners:
+#   - Permissions:
+#     - Repository > Administration: read-only
+#     - Organization > Members: read-only
+#   - Install App on this repository, setting these variables:
+#     - OWNER_RO_APP_ID (variable)
+#     - OWNER_RO_APP_PRIVATE_KEY (secret)
+# - For requesting code owners:
+#   - Permissions:
+#     - Repository > Administration: read-only
+#     - Organization > Members: read-only
+#     - Repository > Pull Requests: read-write
+#   - Install App on this repository, setting these variables:
+#     - OWNER_APP_ID (variable)
+#     - OWNER_APP_PRIVATE_KEY (secret)
+#
+# This split is done because checking code owners requires handling untrusted PR input,
+# while requesting code owners requires PR write access, and those shouldn't be mixed.
 
 on:
   pull_request_target:
@@ -45,8 +57,8 @@ jobs:
     - uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
       id: app-token
       with:
-        app-id: ${{ vars.OWNER_APP_ID }}
-        private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
+        app-id: ${{ vars.OWNER_RO_APP_ID }}
+        private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
 
     - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
       with: