GitHub has taken significant steps to bolster software supply chain security by updating its popular ‘actions/checkout’ tool. This update is designed to block pwn request attacks that exploit the ‘pull_request_target’ workflow trigger, which can potentially run malicious code with full workflow privileges. The change, effective from June 18, 2026, automatically blocks common pwn request patterns, marking an essential move for safeguarding repositories.
New Security Measures for Actions/Checkout
The latest update to ‘actions/checkout’ ensures that fork pull request codes are not fetched in ‘pull_request_target’ and ‘workflow_run’ workflows, particularly when the triggering event is a ‘pull_request’. This measure is in place unless the ‘allow-unsafe-pr-checkout’ flag is explicitly set to ‘true’. The update will extend to all major supported versions on July 16, 2026, enhancing security across the platform.
These preventative measures are crucial as ‘pull_request_target’ workflows often run with elevated permissions, including access to secrets and write capabilities via the GITHUB_TOKEN. Such access poses significant security risks if exploited by malicious actors through untrusted fork pull requests.
Understanding the Risks of Pull Request Target
‘Pull_request_target’ is a trigger that executes workflows automatically when a pull request is opened or updated. This convenience comes with risks, as the workflow runs with the base repository’s access levels, potentially exposing sensitive information. GitHub’s documentation warns that executing untrusted code through this mechanism can lead to vulnerabilities, including cache poisoning and unauthorized access.
The risk is heightened when combined with ‘actions/checkout’, allowing attackers to submit harmful scripts that, if executed, could compromise the GITHUB_TOKEN and other critical data. This type of attack, known as a pwn request, has been exploited in recent software supply chain attacks, including breaches involving the Nx build system and other popular packages.
Guidance for Developers
To mitigate risks, developers are advised to carefully assess the necessity of using ‘pull_request_target’. If elevated permissions are not required, switching to ‘pull_request’ can reduce potential vulnerabilities. Developers should also restrict workflow permissions and ensure that user-controlled inputs do not result in executing untrusted code.
GitHub emphasizes that while this update is a protective measure, it is not a comprehensive solution. Workflows with significant privileges still require thorough reviews to ensure security. By implementing these changes, GitHub aims to provide a safer environment for developers, minimizing the threat of malicious exploits.
Overall, this update is a critical step in strengthening the security of the software supply chain on GitHub. Developers are encouraged to review their workflows and adopt best practices to protect their repositories from potential threats.
