GitHub Actions checkout v7 enhances security for pull_request_target
GitHub Actions checkout v7 now defaults to refusing common 'pwn request' patterns, preventing vulnerabilities in workflows triggered by pull_request_target events from forks. This change is crucial for supply-chain security, affecting users who rely on checking out unreviewed pull request code. The update is available now for workflows pinned to floating major tags, with enforcement backported to supported major versions by July 2026.
- →actions/checkout v7 blocks insecure fork pull request checks in pull_request_target
- →Protection for pull_request_target enforced on supported major versions by July 2026
- →Opt-out mechanism available for workflows needing to check out fork pull request code
- →Same-repository pull requests and pull_request events remain unchanged
Security (1) ›
- actions/checkout v7 blocks insecure fork pull request checks in pull_request_target
The new actions/checkout v7 refuses to fetch pull request code from forks in pull_request_target and workflow_run events to prevent 'pwn requests'. This change addresses vulnerabilities where attacker-controlled code could execute with high privileges. Workflows using floating major tags will automatically update; others may need manual upgrades.
Enhancements (2) ›
- Protection for pull_request_target enforced on supported major versions by July 2026
GitHub will backport the security enforcement from actions/checkout v7 to all currently supported major versions by July 16, 2026. This ensures broader protection against insecure pull request checks over time. Workflows pinned to specific SHAs, minor, or patch versions will not be affected by this backport.
- Opt-out mechanism available for workflows needing to check out fork pull request code
A mechanism exists to opt out of this new security protection by adding the `allow-unsafe-pr-checkout` input to the actions/checkout step. This is intended for specific workflows that intentionally require checking out fork pull request code with elevated trust, such as generating coverage reports or running authenticated checks.
Notes (1) ›
- Same-repository pull requests and pull_request events remain unchanged
This security enhancement does not affect same-repository pull requests or workflows triggered by the `pull_request` event. The primary focus is on mitigating risks associated with `pull_request_target` events, which are more susceptible to supply-chain attacks from external forks.
https://github.blog/changelog/2026-06-18-safer-pull_request_target-defaults-for-github-actions-checkout