GitHub Updates actions/checkout to Block Common Pwn Request Attack Patterns

GitHub has released actions/checkout v7, introducing default protections that block a class of CI/CD supply chain attacks known as "pwn requests." The update, released June 18, 2026, prevents the most common accidental misconfiguration that allows attackers to run malicious fork code with elevated repository privileges — a pattern responsible for secrets theft at the Nx, PostHog, and TanStack open-source ecosystems, among others.

What Is a Pwn Request?

A pwn request is a supply chain attack targeting GitHub Actions CI/CD workflows. The attack exploits the pull_request_target trigger, which — unlike pull_request — runs workflows in the context of the base repository, giving access to repository secrets and the privileged GITHUB_TOKEN.

When a pull_request_target workflow also uses actions/checkout to check out the fork's code and then executes it (for example, running tests or build scripts), the malicious code from the attacker's fork runs with full base-repository privileges. The attacker can exfiltrate secrets, poison build artifacts, or push malicious code — a classic CI/CD privilege escalation with no vulnerability required, only misconfiguration.

The danger is that pull_request_target was designed to safely allow workflows to post comments or labels on fork PRs, but becomes dangerous the moment untrusted fork code is also checked out and executed in that privileged context.

What Changed in actions/checkout v7

The core change: checkout now refuses to fetch fork pull request code when operating inside a pull_request_target workflow and unsafe conditions are detected.

Checkout is blocked when all of the following are true:

The pull request originates from a fork (not the same repository), AND
Any of these conditions are met:
- The repository: input resolves to the fork's repository rather than the base repo
- The ref: input matches refs/pull/<number>/head or refs/pull/<number>/merge
- The ref: resolves to a fork PR's head commit SHA or merge commit SHA

In short: if you are inside a pull_request_target context and you try to check out the actual content of the forked branch or PR head, the action now blocks this by default.

Opt-Out for Legitimate Use Cases

Workflow authors who have a reviewed, intentional reason to check out fork code can explicitly override the protection:

- uses: actions/checkout@v7
  with:
    allow-unsafe-pr-checkout: 'true'

This makes the unsafe pattern deliberate and auditable rather than an accidental footgun buried in workflow YAML.

Backport Schedule

The protection will be backported to all currently supported major versions of actions/checkout on July 16, 2026 — so workflows pinned to v3, v4, or v5 will eventually receive the same protection without requiring a major version upgrade.

Why This Matters

pull_request_target is widely misused across open-source repositories. Developers often conflate it with pull_request without understanding the privilege boundary.
Real-world victims: The Nx, PostHog, and TanStack package ecosystems all suffered secrets exfiltration via poisoned fork PRs exploiting this exact pattern. Other incidents have targeted academic research pipelines and enterprise CI environments.
The fix shifts the security burden from requiring every individual workflow author to reason correctly about trust boundaries — an unreliable expectation — to blocking the unsafe pattern at the action level.
No CVE is assigned to this change; the vulnerability class is well-documented as a category of CI/CD misconfiguration rather than a software flaw.

Immediate Action for Maintainers

If you maintain GitHub Actions workflows using pull_request_target:

Audit workflows for any actions/checkout step that references ${{ github.event.pull_request.head.ref }} or similar fork-originating refs
Upgrade to actions/checkout@v7 or wait for the July 16 backport if pinned to an older version
Review whether your workflow actually needs to execute fork code in a privileged context — most pull_request_target use cases (posting labels, commenting) do not require checking out fork code at all
If you genuinely need fork code checkout in a pull_request_target context, add allow-unsafe-pr-checkout: 'true' explicitly and document the security review

This is a low-friction, high-impact security fix. Upgrading to v7 requires no workflow logic changes for the vast majority of projects — only workflows intentionally checking out fork code in a privileged context will need to add the opt-out flag.

What Is a Pwn Request?

What Changed in actions/checkout v7

The core change: checkout now refuses to fetch fork pull request code when operating inside a pull_request_target workflow and unsafe conditions are detected.

Checkout is blocked when all of the following are true:

The pull request originates from a fork (not the same repository), AND
Any of these conditions are met:
- The repository: input resolves to the fork's repository rather than the base repo
- The ref: input matches refs/pull/<number>/head or refs/pull/<number>/merge
- The ref: resolves to a fork PR's head commit SHA or merge commit SHA

In short: if you are inside a pull_request_target context and you try to check out the actual content of the forked branch or PR head, the action now blocks this by default.

Opt-Out for Legitimate Use Cases

Workflow authors who have a reviewed, intentional reason to check out fork code can explicitly override the protection:

- uses: actions/checkout@v7
  with:
    allow-unsafe-pr-checkout: 'true'

This makes the unsafe pattern deliberate and auditable rather than an accidental footgun buried in workflow YAML.

Backport Schedule

Why This Matters

pull_request_target is widely misused across open-source repositories. Developers often conflate it with pull_request without understanding the privilege boundary.
Real-world victims: The Nx, PostHog, and TanStack package ecosystems all suffered secrets exfiltration via poisoned fork PRs exploiting this exact pattern. Other incidents have targeted academic research pipelines and enterprise CI environments.
The fix shifts the security burden from requiring every individual workflow author to reason correctly about trust boundaries — an unreliable expectation — to blocking the unsafe pattern at the action level.
No CVE is assigned to this change; the vulnerability class is well-documented as a category of CI/CD misconfiguration rather than a software flaw.

Immediate Action for Maintainers

If you maintain GitHub Actions workflows using pull_request_target:

Audit workflows for any actions/checkout step that references ${{ github.event.pull_request.head.ref }} or similar fork-originating refs
Upgrade to actions/checkout@v7 or wait for the July 16 backport if pinned to an older version
Review whether your workflow actually needs to execute fork code in a privileged context — most pull_request_target use cases (posting labels, commenting) do not require checking out fork code at all
If you genuinely need fork code checkout in a pull_request_target context, add allow-unsafe-pr-checkout: 'true' explicitly and document the security review

This is a low-friction, high-impact security fix. Upgrading to v7 requires no workflow logic changes for the vast majority of projects — only workflows intentionally checking out fork code in a privileged context will need to add the opt-out flag.

GitHub Updates actions/checkout to Block Common Pwn Request Attack Patterns

What Is a Pwn Request?

What Changed in actions/checkout v7

Opt-Out for Legitimate Use Cases

Backport Schedule

Why This Matters

Immediate Action for Maintainers

Popular GitHub Action Tags Redirected to Imposter Commit to Steal CI/CD Credentials

Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft

Google Fixes CVSS 10 Gemini CLI RCE and Cursor Flaws Enable

GitHub Updates actions/checkout to Block Common Pwn Request Attack Patterns

What Is a Pwn Request?

What Changed in actions/checkout v7

Opt-Out for Legitimate Use Cases

Backport Schedule

Why This Matters

Immediate Action for Maintainers

Popular GitHub Action Tags Redirected to Imposter Commit to Steal CI/CD Credentials

Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft

Google Fixes CVSS 10 Gemini CLI RCE and Cursor Flaws Enable