Thanks Jan, that looks very helpful. All fine to wait until after the holidays are done. Enjoy your 4th July beers Robert :)
> On 3 Jul 2026, at 23:35, Jan Høydahl <[email protected]> wrote: > > See Solr's renovate-changelog-* workflows > <https://github.com/apache/solr/tree/main/.github/workflows>which safely > write to a fork's PR branch. We recently converted it from a single > pull_request_target workflow to this two-stage approach to avoid the security > risk. > > Jan > >> 3. juli 2026 kl. 14:20 skrev Robert Muir <[email protected]>: >> >> I was worried this would find something when upgrading to >> actions/checkout version. I'd like to change this workflow to not have >> the security risk, but its a holiday here. Can it wait? >> >> On Fri, Jul 3, 2026 at 4:08 AM Alan Woodward <[email protected]> wrote: >>> >>> Hi all, >>> >>> Our Verify Change Log action in GitHub is failing on every PR now with a >>> permissions error: >>> >>> "Error: Refusing to check out fork pull request code from a >>> 'pull_request_target' workflow. This workflow runs with the base >>> repository's GITHUB_TOKEN, secrets, default-branch cache scope, and runner >>> access. Fetching and executing a fork's code in that trusted context >>> commonly leads to "pwn request" vulnerabilities. To opt in, review the >>> risks at https://gh.io/securely-using-pull_request_target and set >>> 'allow-unsafe-pr-checkout: true' on the actions/checkout step.” >>> >>> I don’t know enough about how actions work to know if changing >>> `allow-unsafe-pr-checkout` is the right solution here, or if we need to >>> change the access for this action somehow? >>> >>> - Alan >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >
