I was worried this would find something when upgrading to actions/checkout version. I'd like to change this workflow to not have the security risk, but its a holiday here. Can it wait?
On Fri, Jul 3, 2026 at 4:08 AM Alan Woodward <[email protected]> wrote: > > Hi all, > > Our Verify Change Log action in GitHub is failing on every PR now with a > permissions error: > > "Error: Refusing to check out fork pull request code from a > 'pull_request_target' workflow. This workflow runs with the base repository's > GITHUB_TOKEN, secrets, default-branch cache scope, and runner access. > Fetching and executing a fork's code in that trusted context commonly leads > to "pwn request" vulnerabilities. To opt in, review the risks at > https://gh.io/securely-using-pull_request_target and set > 'allow-unsafe-pr-checkout: true' on the actions/checkout step.” > > I don’t know enough about how actions work to know if changing > `allow-unsafe-pr-checkout` is the right solution here, or if we need to > change the access for this action somehow? > > - Alan > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
