{"id":1419,"date":"2026-06-23T15:09:01","date_gmt":"2026-06-23T15:09:01","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=1419"},"modified":"2026-06-23T15:09:01","modified_gmt":"2026-06-23T15:09:01","slug":"github-updates-actions-checkout-to-block-common-pwn-request-attack-patterns","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=1419","title":{"rendered":"GitHub Updates actions\/checkout to Block Common Pwn Request Attack Patterns"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Jun 23, 2026<\/span><\/span><span class=\"p-tags\">Workflow Security \/ Software Supply Chain<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjcacTEKD_LZFda1wwX5aClbAVOb6mwah2lVUY-jUZwNsrSZGDOFL18LP5zYLX3M2DwKng0qknZ5qo_hMk4q-NExgZv1ozhCy7DJuZwvviZE0sv36PQ2k8Y2emv1KMDFplakFwVzulOFPteWkmVoLO6Le912KAbJGFW0nkqKWHEkwJQLbsGhz5npWO3aJaR\/s1700-e365\/github-actions.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>GitHub is moving to strengthen software supply chain security by updating \u00ab<a href=\"https:\/\/github.com\/actions\/checkout\">actions\/checkout<\/a>\u00bb to block <b>pwn request attacks<\/b> that exploit the risky use of the \u00abpull_request_target workflow\u00bb trigger to run malicious code with the workflow&#8217;s full privileges.<\/p>\n<p>Effective June 18, 2026, the latest version of \u00abactions\/checkout,\u00bb the official GitHub action for checking out a repository into the workflow&#8217;s runner, refuses common pwn request patterns by default. The change is expected to be backported to all currently supported major versions on July 16, 2026.<\/p>\n<p>\u00abActions\/checkout v7 refuses to fetch fork pull request code in <a href=\"https:\/\/docs.github.com\/en\/actions\/reference\/workflows-and-actions\/events-that-trigger-workflows#pull_request_target\">pull_request_target<\/a> and <a href=\"https:\/\/docs.github.com\/en\/actions\/reference\/workflows-and-actions\/events-that-trigger-workflows#workflow_run\">workflow_run<\/a> workflows (the latter only when workflow_run.event is a pull_request* event),\u00bb it <a href=\"https:\/\/github.blog\/changelog\/2026-06-18-safer-pull_request_target-defaults-for-github-actions-checkout\/\">added<\/a>.<\/p>\n<p>The refusal occurs when the pull request is from a fork, and any of the following criteria is met, unless workflow authors explicitly opt out of it by setting the \u00ab<a href=\"https:\/\/docs.github.com\/en\/actions\/reference\/security\/securely-using-pull_request_target\">allow-unsafe-pr-checkout<\/a>\u00bb flag to \u00abtrue\u00bb in \u00abactions\/checkout\u00bb &#8211;<\/p>\n<ul>\n<li>repository: resolves to the fork pull request&#8217; repository<\/li>\n<li>ref: matches refs\/pull\/number\/head or refs\/pull\/number\/merge<\/li>\n<li>ref: resolves to a fork pull request&#8217;s head or merge commit SHA<\/li>\n<\/ul>\n<p>The change is aimed at preventing the most common form of pwn requests in the Actions ecosystem. As a result, \u00abactions\/checkout\u00bb will fail for \u00abpull_request_target events\u00bb from forks with insecure inputs.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ai-cant-stop-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjPEV6-530TOlxG6PjrmdlY623wpBwduZ7t1HV6flcmO5R4q4AmfixDUzW0CrhlvMVNWbhvOIso-UDNTka4W_W9Chrdj_dglwBZwi7DuePM2IMIl-hfUYVIqBXgfpr_2619K8Gptb4LzwJ6gUbi7lWl2M8AFQJsHEaw63Q7tZ6708YGruiHrr0Y2W9YYxLQ\/s728-e100\/ThreatLocker-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>\u00abPull_request_target\u00bb is a workflow trigger that&#8217;s automatically run without requiring manual approval when a pull request is opened or reopened, or when the head branch of the pull request is updated. It&#8217;s important to note that the event runs in the context of the default branch of the base repository, potentially exposing secrets and a privileged GITHUB_TOKEN with both read and write permissions.<\/p>\n<p><a name=\"more\"\/><\/p>\n<p>\u00abRunning untrusted code on the pull_request_target trigger may lead to security vulnerabilities,\u00bb GitHub notes in its documentation. \u00abThese vulnerabilities include <a href=\"https:\/\/adnanthekhan.com\/2024\/05\/06\/the-monsters-in-your-build-cache-github-actions-cache-poisoning\/\">cache poisoning<\/a> and granting unintended access to write privileges or secrets.\u00bb<\/p>\n<p>The danger arises when a \u00abpull_request_target\u00bb is combined with \u00abactions\/checkout\u00bb to download and execute code submitted by an untrusted fork. Should a bad actor submit a pull request containing malicious scripts and the workflow checks out and runs the code, it can allow the attacker to steal the GITHUB_TOKEN and other secrets, leading to what&#8217;s <a href=\"https:\/\/www.endorlabs.com\/learn\/pwn-request-threat-a-hidden-danger-in-github-actions\">called<\/a> a <a href=\"https:\/\/securitylab.github.com\/resources\/github-actions-preventing-pwn-requests\/\">pwn request attack<\/a>.<\/p>\n<p>\u00abWorkflows triggered by pull_request_target run with the base repository&#8217;s GITHUB_TOKEN, secrets, and default-branch cache access,\u00bb GitHub said. \u00abChecking out the head of an unreviewed pull request from a fork inside one of these workflows typically lets attacker-controlled code execute with the workflow&#8217;s full privileges.\u00bb<\/p>\n<p>In recent months, a number of software chain attacks have weaponized this behavior. The most severe of them was the compromise of multiple packages associated with the Nx build system as part of a campaign codenamed s1ngularity, as well as the breach of PostHog, TanStack, and the popular Emacs package, \u00abkubernetes-el\/kubernetes-el.\u00bb<\/p>\n<p>\u00abPull_request_target was designed for trusted automation around pull requests, such as labeling, commenting, or applying project metadata,\u00bb Socket said. \u00abBut the checkout step controls which code actually lands in the runner workspace. If it pulls code from a forked pull request, the workflow can end up running attacker-controlled code with the base repository&#8217;s privileges.\u00bb<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/vpn-threat-report-m\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhFlTC7RrRZGiFAgASS0noWSL0qsQGFVp8-Hvuw9yp3X3VKRuTcb5SsPX09wJzrdIM6pu1_5lS4EeZp7Sx4iYBpNJkrGnpr08yyaS1HQ5_5TxaCsP6O0OtHNuOkesn6CbNjao1GPulCJk-uljYMSfMZfBYNrngpe669t7jlRn1FqiEnXhsFD1WVkpaYIVgh\/s728-e100\/ai-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>That said, the Microsoft-owned subsidiary emphasized that pwn requests triggered via other event types besides pull_request_target (e.g., issue_comment) or through other means, such as git or the GitHub CLI, are out of scope of this change.<\/p>\n<p>\u00abThis change only blocks checkouts of the fork pull request head and merge commits,\u00bb it added. \u00abIt does not block checkouts of other untrusted repositories. For example, setting repository: to an unrelated third-party repository is not blocked. Checking out and executing any untrusted code in a privileged event remains a pwn request risk that should be reviewed.\u00bb<\/p>\n<p>To counter the risk posed by \u00abpull_request_target,\u00bb developers are <a href=\"https:\/\/github.blog\/changelog\/2025-11-07-actions-pull_request_target-and-environment-branch-protections-changes\/\">advised<\/a> to assess and use it only when necessary, switch to \u00ab<a href=\"https:\/\/docs.github.com\/en\/actions\/reference\/workflows-and-actions\/events-that-trigger-workflows#pull_request\">pull_request<\/a>\u00bb if the workflow does not require elevated permissions or access to secrets, restrict permissions granted to the workflows, and ensure user-controlled input does not result in execution of untrusted code.<\/p>\n<p>\u00abThe protection in this update only covers checkouts performed through actions\/checkout,\u00bb Socket said. \u00abThat makes this a guardrail, not a complete solution for Actions security. Workflows that run with secrets, write permissions, deployment permissions, or OIDC publishing access still need careful review.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Jun 23, 2026Workflow Security \/ Software Supply Chain GitHub is moving to strengthen software supply chain security by updating \u00abactions\/checkout\u00bb to block pwn request attacks that exploit the risky&hellip;<\/p>\n","protected":false},"author":1,"featured_media":1420,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[2154,220,1009,2155,71,2158,2156,2157,619],"class_list":["post-1419","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-actionscheckout","tag-attack","tag-block","tag-common","tag-github","tag-patterns","tag-pwn","tag-request","tag-updates"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/1419","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1419"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/1419\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/1420"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1419"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1419"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1419"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}