block checking out fork pr for pull_request_target and workflow_run#2454
Merged
Conversation
AdnaneKhan
reviewed
Jun 14, 2026
aiqiaoy
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a guardrail to prevent accidentally checking out fork pull request code in privileged GitHub Actions contexts (pull_request_target and PR-triggered workflow_run), with an explicit opt-in escape hatch for advanced workflows.
Changes:
- Introduces
assertSafePrCheckoutto detect and block unsafe fork-PR checkouts in privileged events unlessallow-unsafe-pr-checkoutis enabled. - Adds a new action input (
allow-unsafe-pr-checkout) and threads it through input parsing and settings. - Updates documentation and adds test coverage for the new safety checks.
Show a summary per file
| File | Description |
|---|---|
| src/unsafe-pr-checkout-helper.ts | New helper that blocks unsafe fork PR checkout patterns in privileged events unless opted in. |
| src/ref-helper.ts | Exports fromPayload for reuse by the new safety helper. |
| src/input-helper.ts | Parses allow-unsafe-pr-checkout and invokes the new safety assertion during input handling. |
| src/git-source-settings.ts | Extends settings interface with allowUnsafePrCheckout. |
| README.md | Documents the new input and its intent. |
| action.yml | Adds the new input to the action metadata. |
| test/unsafe-pr-checkout-helper.test.ts | New unit tests validating allow/refuse behavior across events and patterns. |
| test/input-helper.test.ts | Asserts the new setting defaults to false. |
| test/git-auth-helper.test.ts | Updates test settings object to include the new required field. |
| dist/index.js | Bundled output updated to include the new logic. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 9/10 changed files
- Comments generated: 4
yaananth
reviewed
Jun 15, 2026
yaananth
previously approved these changes
Jun 15, 2026
yaananth
approved these changes
Jun 16, 2026
doonga
pushed a commit
to greyrock-labs/home-ops
that referenced
this pull request
Jun 18, 2026
…(#332) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://github.com/actions/checkout) | action | major | `v6.0.3` → `v7.0.0` | --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v7.0.0`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v700) [Compare Source](actions/checkout@v6.0.3...v7.0.0) - Block checking out fork PR for pull\_request\_target and workflow\_run by [@​aiqiaoy](https://github.com/aiqiaoy) in [#​2454](actions/checkout#2454) - Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by [@​dependabot](https://github.com/dependabot)\[bot] in [#​2458](actions/checkout#2458) - Bump flatted from 3.3.1 to 3.4.2 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​2460](actions/checkout#2460) - Bump js-yaml from 4.1.0 to 4.2.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​2461](actions/checkout#2461) - Bump [@​actions/core](https://github.com/actions/core) and [@​actions/tool-cache](https://github.com/actions/tool-cache) and Remove uuid by [@​dependabot](https://github.com/dependabot)\[bot] in [#​2459](actions/checkout#2459) - upgrade module to esm and update dependencies by [@​aiqiaoy](https://github.com/aiqiaoy) in [#​2463](actions/checkout#2463) - Bump the minor-npm-dependencies group across 1 directory with 3 updates by [@​dependabot](https://github.com/dependabot)\[bot] in [#​2462](actions/checkout#2462) </details> --- ### Configuration 📅 **Schedule**: (in timezone America/New_York) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMjQuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIyNC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJyZW5vdmF0ZS9naXRodWItYWN0aW9uIiwicmVub3ZhdGUvZ2l0aHViLXJlbGVhc2UiLCJ0eXBlL21ham9yIl19--> Reviewed-on: https://git.greyrock.io/greyrock-labs/home-ops/pulls/332
1 task
|
This is awesome @aiqiaoy ! |
1 task
This was referenced Jun 18, 2026
This was referenced Jun 18, 2026
1 task
ajgon
pushed a commit
to deedee-ops/schemas
that referenced
this pull request
Jun 22, 2026
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://github.com/actions/checkout) | action | major | `v6` → `v7.0.0` | | [actions/checkout](https://github.com/actions/checkout) | action | major | `v6.0.2` → `v7.0.0` | --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v7.0.0`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v700) [Compare Source](actions/checkout@v6.0.3...v7.0.0) - Block checking out fork PR for pull\_request\_target and workflow\_run by [@​aiqiaoy](https://github.com/aiqiaoy) in [#​2454](actions/checkout#2454) - Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by [@​dependabot](https://github.com/dependabot)\[bot] in [#​2458](actions/checkout#2458) - Bump flatted from 3.3.1 to 3.4.2 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​2460](actions/checkout#2460) - Bump js-yaml from 4.1.0 to 4.2.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​2461](actions/checkout#2461) - Bump [@​actions/core](https://github.com/actions/core) and [@​actions/tool-cache](https://github.com/actions/tool-cache) and Remove uuid by [@​dependabot](https://github.com/dependabot)\[bot] in [#​2459](actions/checkout#2459) - upgrade module to esm and update dependencies by [@​aiqiaoy](https://github.com/aiqiaoy) in [#​2463](actions/checkout#2463) - Bump the minor-npm-dependencies group across 1 directory with 3 updates by [@​dependabot](https://github.com/dependabot)\[bot] in [#​2462](actions/checkout#2462) ### [`v6.0.3`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v603) [Compare Source](actions/checkout@v6.0.2...v6.0.3) - Fix checkout init for SHA-256 repositories by [@​yaananth](https://github.com/yaananth) in [#​2439](actions/checkout#2439) - fix: expand merge commit SHA regex and add SHA-256 test cases by [@​yaananth](https://github.com/yaananth) in [#​2414](actions/checkout#2414) ### [`v6.0.2`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v602) [Compare Source](actions/checkout@v6.0.1...v6.0.2) - Fix tag handling: preserve annotations and explicit fetch-tags by [@​ericsciple](https://github.com/ericsciple) in [#​2356](actions/checkout#2356) ### [`v6.0.1`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v601) [Compare Source](actions/checkout@v6...v6.0.1) - Add worktree support for persist-credentials includeIf by [@​ericsciple](https://github.com/ericsciple) in [#​2327](actions/checkout#2327) </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/Warsaw) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMzUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIzNS4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=--> Reviewed-on: https://git.ajgon.casa/deedee/schemas/pulls/3
This was referenced Jun 22, 2026
dgalanberasaluce
pushed a commit
to dgalanberasaluce/maximus-cli
that referenced
this pull request
Jun 23, 2026
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://github.com/actions/checkout) | action | major | `v6` → `v7` | --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v7`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v700) [Compare Source](actions/checkout@v6...v7) - Block checking out fork PR for pull\_request\_target and workflow\_run by [@​aiqiaoy](https://github.com/aiqiaoy) in [#​2454](actions/checkout#2454) - Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by [@​dependabot](https://github.com/dependabot)\[bot] in [#​2458](actions/checkout#2458) - Bump flatted from 3.3.1 to 3.4.2 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​2460](actions/checkout#2460) - Bump js-yaml from 4.1.0 to 4.2.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​2461](actions/checkout#2461) - Bump [@​actions/core](https://github.com/actions/core) and [@​actions/tool-cache](https://github.com/actions/tool-cache) and Remove uuid by [@​dependabot](https://github.com/dependabot)\[bot] in [#​2459](actions/checkout#2459) - upgrade module to esm and update dependencies by [@​aiqiaoy](https://github.com/aiqiaoy) in [#​2463](actions/checkout#2463) - Bump the minor-npm-dependencies group across 1 directory with 3 updates by [@​dependabot](https://github.com/dependabot)\[bot] in [#​2462](actions/checkout#2462) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My43My4yIiwidXBkYXRlZEluVmVyIjoiNDMuNzMuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Reviewed-on: https://forgejo.internal/forgejo_admin/maximus/pulls/17 Co-authored-by: Renovate Bot <renovatebot@forgejo.internal> Co-committed-by: Renovate Bot <renovatebot@forgejo.internal>
This was referenced Jun 23, 2026
This was referenced Jun 24, 2026
This was referenced Jun 24, 2026
This was referenced Jun 24, 2026
1 task
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements https://github.com/github/c2c-actions/pull/10159
TL;DR; This PR adds a check that refuses to check out fork pull request code when the workflow trigger is either
pull_request_targetorworkflow_run, unless the workflow author explicitly opts in via a new inputallow-unsafe-pr-checkout: true.