I was worried this would find something when upgrading to
actions/checkout version. I'd like to change this workflow to not have
the security risk, but its a holiday here. Can it wait?

On Fri, Jul 3, 2026 at 4:08 AM Alan Woodward <[email protected]> wrote:
>
> Hi all,
>
> Our Verify Change Log action in GitHub is failing on every PR now with a 
> permissions error:
>
> "Error: Refusing to check out fork pull request code from a 
> 'pull_request_target' workflow. This workflow runs with the base repository's 
> GITHUB_TOKEN, secrets, default-branch cache scope, and runner access. 
> Fetching and executing a fork's code in that trusted context commonly leads 
> to "pwn request" vulnerabilities. To opt in, review the risks at 
> https://gh.io/securely-using-pull_request_target and set 
> 'allow-unsafe-pr-checkout: true' on the actions/checkout step.”
>
> I don’t know enough about how actions work to know if changing 
> `allow-unsafe-pr-checkout` is the right solution here, or if we need to 
> change the access for this action somehow?
>
> - Alan
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to