{"id":279696,"date":"2026-06-23T10:22:00","date_gmt":"2026-06-23T14:22:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/23\/github-updates-actions-checkout-to-block-common-pwn-request-attack-patterns\/"},"modified":"2026-06-23T13:05:08","modified_gmt":"2026-06-23T17:05:08","slug":"github-updates-actions-checkout-to-block-common-pwn-request-attack-patterns","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/23\/github-updates-actions-checkout-to-block-common-pwn-request-attack-patterns\/","title":{"rendered":"GitHub Updates actions\/checkout to Block Common Pwn Request Attack Patterns"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/github-updates-actionscheckout-to-block.html\">GitHub Updates actions\/checkout to Block Common Pwn Request Attack Patterns<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/github-updates-actionscheckout-to-block.html\">https:\/\/thehackernews.com\/2026\/06\/github-updates-actionscheckout-to-block.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-23 10:22:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">Jun 23, 2026<\/span><\/span><span class=\"p-tags\">Workflow Security \/ Software Supply Chain<\/span><\/p>\n<p>GitHub is moving to strengthen software supply chain security by updating &#8220;actions\/checkout&#8221; to block pwn request attacks that exploit the risky use of the &#8220;pull_request_target workflow&#8221; trigger to run malicious code with the workflow&#8217;s full privileges.<\/p>\n<p>Effective June 18, 2026, the latest version of &#8220;actions\/checkout,&#8221; the official GitHub action for checking out a repository into the workflow&#8217;s runner, refuses common pwn request patterns by default. The change is expected to be backported to all currently supported major versions on July 16, 2026.<\/p>\n<p>&#8220;Actions\/checkout v7 refuses to fetch fork pull request code in pull_request_target and workflow_run workflows (the latter only when workflow_run.event is a pull_request* event),&#8221; it added.<\/p>\n<p>The refusal occurs when the pull request is from a fork, and any of the following criteria is met, unless workflow authors explicitly opt out of it by setting the &#8220;allow-unsafe-pr-checkout&#8221; flag to &#8220;true&#8221; in &#8220;actions\/checkout&#8221; &#8211;<\/p>\n<ul>\n<li>repository: resolves to the fork pull request&#8217; repository<\/li>\n<li>ref: matches refs\/pull\/number\/head or refs\/pull\/number\/merge<\/li>\n<li>ref: resolves to a fork pull request&#8217;s head or merge commit SHA<\/li>\n<\/ul>\n<p>The change is aimed at preventing the most common form of pwn requests in the Actions ecosystem. As a result, &#8220;actions\/checkout&#8221; will fail for &#8220;pull_request_target events&#8221; from forks with insecure inputs.<\/p>\n<p>&#8220;Pull_request_target&#8221; is a workflow trigger that&#8217;s automatically run without requiring manual approval when a pull request is opened or reopened, or when the head branch of the pull request is updated. It&#8217;s important to note that the event runs in the context of the default branch of the base repository, potentially exposing secrets and a privileged GITHUB_TOKEN with both read and write permissions.<\/p>\n<p>&#8220;Running untrusted code on the pull_request_target trigger may lead to security vulnerabilities,&#8221; GitHub notes in its documentation. &#8220;These&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/github-updates-actionscheckout-to-block.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>GitHub Updates actions\/checkout to Block Common Pwn Request Attack Patterns https:\/\/thehackernews.com\/2026\/06\/github-updates-actionscheckout-to-block.html Publish Date: 2026-06-23 10:22:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":279700,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjcacTEKD_LZFda1wwX5aClbAVOb6mwah2lVUY-jUZwNsrSZGDOFL18LP5zYLX3M2DwKng0qknZ5qo_hMk4q-NExgZv1ozhCy7DJuZwvviZE0sv36PQ2k8Y2emv1KMDFplakFwVzulOFPteWkmVoLO6Le912KAbJGFW0nkqKWHEkwJQLbsGhz5npWO3aJaR\/s1600\/github-actions.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[31],"class_list":["post-279696","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-exploit"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/279696"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=279696"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/279696\/revisions"}],"predecessor-version":[{"id":279701,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/279696\/revisions\/279701"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/279700"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=279696"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=279696"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=279696"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}