{{ message }}
block checking out fork pr for pull_request_target and workflow_run#2454
Merged
Conversation
AdnaneKhan
reviewed
Jun 14, 2026
aiqiaoy
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a guardrail to prevent accidentally checking out fork pull request code in privileged GitHub Actions contexts (pull_request_target and PR-triggered workflow_run), with an explicit opt-in escape hatch for advanced workflows.
Changes:
- Introduces
assertSafePrCheckoutto detect and block unsafe fork-PR checkouts in privileged events unlessallow-unsafe-pr-checkoutis enabled. - Adds a new action input (
allow-unsafe-pr-checkout) and threads it through input parsing and settings. - Updates documentation and adds test coverage for the new safety checks.
Show a summary per file
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 9/10 changed files
- Comments generated: 4
yaananth
reviewed
Jun 15, 2026
yaananth
previously approved these changes
Jun 15, 2026
yaananth
approved these changes
Jun 16, 2026
doonga
pushed a commit
to greyrock-labs/home-ops
that referenced
this pull request
Jun 18, 2026
…(#332) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://github.com/actions/checkout) | action | major | `v6.0.3` → `v7.0.0` | --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v7.0.0`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v700) [Compare Source](actions/checkout@v6.0.3...v7.0.0) - Block checking out fork PR for pull\_request\_target and workflow\_run by [@​aiqiaoy](https://github.com/aiqiaoy) in [#​2454](actions/checkout#2454) - Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by [@​dependabot](https://github.com/dependabot)\[bot] in [#​2458](actions/checkout#2458) - Bump flatted from 3.3.1 to 3.4.2 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​2460](actions/checkout#2460) - Bump js-yaml from 4.1.0 to 4.2.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​2461](actions/checkout#2461) - Bump [@​actions/core](https://github.com/actions/core) and [@​actions/tool-cache](https://github.com/actions/tool-cache) and Remove uuid by [@​dependabot](https://github.com/dependabot)\[bot] in [#​2459](actions/checkout#2459) - upgrade module to esm and update dependencies by [@​aiqiaoy](https://github.com/aiqiaoy) in [#​2463](actions/checkout#2463) - Bump the minor-npm-dependencies group across 1 directory with 3 updates by [@​dependabot](https://github.com/dependabot)\[bot] in [#​2462](actions/checkout#2462) </details> --- ### Configuration 📅 **Schedule**: (in timezone America/New_York) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMjQuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIyNC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJyZW5vdmF0ZS9naXRodWItYWN0aW9uIiwicmVub3ZhdGUvZ2l0aHViLXJlbGVhc2UiLCJ0eXBlL21ham9yIl19--> Reviewed-on: https://git.greyrock.io/greyrock-labs/home-ops/pulls/332
1 task
1 task
This was referenced Jun 18, 2026
This was referenced Jun 18, 2026
This was referenced Jun 22, 2026
dgalanberasaluce
pushed a commit
to dgalanberasaluce/maximus-cli
that referenced
this pull request
Jun 23, 2026
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://github.com/actions/checkout) | action | major | `v6` → `v7` | --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v7`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v700) [Compare Source](actions/checkout@v6...v7) - Block checking out fork PR for pull\_request\_target and workflow\_run by [@​aiqiaoy](https://github.com/aiqiaoy) in [#​2454](actions/checkout#2454) - Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by [@​dependabot](https://github.com/dependabot)\[bot] in [#​2458](actions/checkout#2458) - Bump flatted from 3.3.1 to 3.4.2 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​2460](actions/checkout#2460) - Bump js-yaml from 4.1.0 to 4.2.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​2461](actions/checkout#2461) - Bump [@​actions/core](https://github.com/actions/core) and [@​actions/tool-cache](https://github.com/actions/tool-cache) and Remove uuid by [@​dependabot](https://github.com/dependabot)\[bot] in [#​2459](actions/checkout#2459) - upgrade module to esm and update dependencies by [@​aiqiaoy](https://github.com/aiqiaoy) in [#​2463](actions/checkout#2463) - Bump the minor-npm-dependencies group across 1 directory with 3 updates by [@​dependabot](https://github.com/dependabot)\[bot] in [#​2462](actions/checkout#2462) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My43My4yIiwidXBkYXRlZEluVmVyIjoiNDMuNzMuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Reviewed-on: https://forgejo.internal/forgejo_admin/maximus/pulls/17 Co-authored-by: Renovate Bot <renovatebot@forgejo.internal> Co-committed-by: Renovate Bot <renovatebot@forgejo.internal>
This was referenced Jun 23, 2026
This was referenced Jun 24, 2026
This was referenced Jun 24, 2026
This was referenced Jun 24, 2026
1 task
This was referenced Jun 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements https://github.com/github/c2c-actions/pull/10159
TL;DR; This PR adds a check that refuses to check out fork pull request code when the workflow trigger is either
pull_request_targetorworkflow_run, unless the workflow author explicitly opts in via a new inputallow-unsafe-pr-checkout: true.