GitHub Blocks Unreviewed Fork Checkouts in Actions v7, Backports Safeguard on July 16
Updated
Updated · InfoWorld · Jun 22
GitHub Blocks Unreviewed Fork Checkouts in Actions v7, Backports Safeguard on July 16
3 articles · Updated · InfoWorld · Jun 22
Summary
Actions/checkout v7 now fails workflows that try to fetch unreviewed fork pull-request code inside pull_request_target or workflow_run events, cutting off a common “pwn request” path to repository secrets.
GitHub made the change after a surge in attacks exploiting developers’ unsafe use of pull_request_target, which can run attacker-controlled code with full workflow privileges when paired with checkout of fork code.
July 16 will bring the new default to all supported major versions: floating tags such as actions/checkout@v4 will inherit it automatically, while workflows pinned to a SHA or minor version must upgrade manually or via Dependabot.
TeamPCP and other attackers have already abused the weakness in open-source supply chains; one attack last month compromised 170 npm packages, including parts of the TanStack Router ecosystem.
GitHub cast the release as part of a broader secure-by-default push, though it said other attack paths remain and more event hardening may follow.