Thanks Jan, that looks very helpful.  All fine to wait until after the holidays 
are done.  Enjoy your 4th July beers Robert :)

> On 3 Jul 2026, at 23:35, Jan Høydahl <[email protected]> wrote:
> 
> See Solr's renovate-changelog-* workflows  
> <https://github.com/apache/solr/tree/main/.github/workflows>which safely 
> write to a fork's PR branch. We recently converted it from a single 
> pull_request_target workflow to this two-stage approach to avoid the security 
> risk.
> 
> Jan
> 
>> 3. juli 2026 kl. 14:20 skrev Robert Muir <[email protected]>:
>> 
>> I was worried this would find something when upgrading to
>> actions/checkout version. I'd like to change this workflow to not have
>> the security risk, but its a holiday here. Can it wait?
>> 
>> On Fri, Jul 3, 2026 at 4:08 AM Alan Woodward <[email protected]> wrote:
>>> 
>>> Hi all,
>>> 
>>> Our Verify Change Log action in GitHub is failing on every PR now with a 
>>> permissions error:
>>> 
>>> "Error: Refusing to check out fork pull request code from a 
>>> 'pull_request_target' workflow. This workflow runs with the base 
>>> repository's GITHUB_TOKEN, secrets, default-branch cache scope, and runner 
>>> access. Fetching and executing a fork's code in that trusted context 
>>> commonly leads to "pwn request" vulnerabilities. To opt in, review the 
>>> risks at https://gh.io/securely-using-pull_request_target and set 
>>> 'allow-unsafe-pr-checkout: true' on the actions/checkout step.”
>>> 
>>> I don’t know enough about how actions work to know if changing 
>>> `allow-unsafe-pr-checkout` is the right solution here, or if we need to 
>>> change the access for this action somehow?
>>> 
>>> - Alan
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [email protected]
>>> For additional commands, e-mail: [email protected]
>>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [email protected]
>> For additional commands, e-mail: [email protected]
>> 
> 

Reply via email to