See Solr's renovate-changelog-* workflows  
<https://github.com/apache/solr/tree/main/.github/workflows>which safely write 
to a fork's PR branch. We recently converted it from a single 
pull_request_target workflow to this two-stage approach to avoid the security 
risk.

Jan

> 3. juli 2026 kl. 14:20 skrev Robert Muir <[email protected]>:
> 
> I was worried this would find something when upgrading to
> actions/checkout version. I'd like to change this workflow to not have
> the security risk, but its a holiday here. Can it wait?
> 
> On Fri, Jul 3, 2026 at 4:08 AM Alan Woodward <[email protected]> wrote:
>> 
>> Hi all,
>> 
>> Our Verify Change Log action in GitHub is failing on every PR now with a 
>> permissions error:
>> 
>> "Error: Refusing to check out fork pull request code from a 
>> 'pull_request_target' workflow. This workflow runs with the base 
>> repository's GITHUB_TOKEN, secrets, default-branch cache scope, and runner 
>> access. Fetching and executing a fork's code in that trusted context 
>> commonly leads to "pwn request" vulnerabilities. To opt in, review the risks 
>> at https://gh.io/securely-using-pull_request_target and set 
>> 'allow-unsafe-pr-checkout: true' on the actions/checkout step.”
>> 
>> I don’t know enough about how actions work to know if changing 
>> `allow-unsafe-pr-checkout` is the right solution here, or if we need to 
>> change the access for this action somehow?
>> 
>> - Alan
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [email protected]
>> For additional commands, e-mail: [email protected]
>> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
> 

Reply via email to