GitHub Updates actions/checkout to Block Common Pwn Request Attack Patterns
GitHub Updates actions/checkout to Block Common Pwn Request Attack Patterns
https://thehackernews.com/2026/06/github-updates-actionscheckout-to-block.html
Publish Date: 2026-06-23 10:22:00
Source Domain: thehackernews.com
GitHub is moving to strengthen software supply chain security by updating “actions/checkout” to block pwn request attacks that exploit the risky use of the “pull_request_target workflow” trigger to run malicious code with the workflow’s full privileges.
Effective June 18, 2026, the latest version of “actions/checkout,” the official GitHub action for checking out a repository into the workflow’s runner, refuses common pwn request patterns by default. The change is expected to be backported to all currently supported major versions on July 16, 2026.
“Actions/checkout v7 refuses to fetch fork pull request code in pull_request_target and workflow_run workflows (the latter only when workflow_run.event is a pull_request* event),” it added.
The refusal occurs when the pull request is from a fork, and any of the following criteria is met, unless workflow authors explicitly opt out of it by setting the “allow-unsafe-pr-checkout” flag to “true” in “actions/checkout” –
- repository: resolves to the fork pull request’ repository
- ref: matches refs/pull/number/head or refs/pull/number/merge
- ref: resolves to a fork pull request’s head or merge commit SHA
The change is aimed at preventing the most common form of pwn requests in the Actions ecosystem. As a result, “actions/checkout” will fail for “pull_request_target events” from forks with insecure inputs.
“Pull_request_target” is a workflow trigger that’s automatically run without requiring manual approval when a pull request is opened or reopened, or when the head branch of the pull request is updated. It’s important to note that the event runs in the context of the default branch of the base repository, potentially exposing secrets and a privileged GITHUB_TOKEN with both read and write permissions.
“Running untrusted code on the pull_request_target trigger may lead to security vulnerabilities,” GitHub notes in its documentation. “These…
