Skip to content

block checking out fork pr for pull_request_target and workflow_run#2454

Merged
aiqiaoy merged 8 commits into
mainfrom
enforce-safe-checkout
Jun 16, 2026
Merged

block checking out fork pr for pull_request_target and workflow_run#2454
aiqiaoy merged 8 commits into
mainfrom
enforce-safe-checkout

Conversation

@aiqiaoy

@aiqiaoy aiqiaoy commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

Implements https://github.com/github/c2c-actions/pull/10159

TL;DR; This PR adds a check that refuses to check out fork pull request code when the workflow trigger is either pull_request_target or workflow_run, unless the workflow author explicitly opts in via a new input allow-unsafe-pr-checkout: true.

Comment thread dist/index.js
@aiqiaoy aiqiaoy marked this pull request as ready for review June 15, 2026 14:13
Copilot AI review requested due to automatic review settings June 15, 2026 14:13
@aiqiaoy aiqiaoy changed the title block checking out fork pr for some events Jun 15, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a guardrail to prevent accidentally checking out fork pull request code in privileged GitHub Actions contexts (pull_request_target and PR-triggered workflow_run), with an explicit opt-in escape hatch for advanced workflows.

Changes:

  • Introduces assertSafePrCheckout to detect and block unsafe fork-PR checkouts in privileged events unless allow-unsafe-pr-checkout is enabled.
  • Adds a new action input (allow-unsafe-pr-checkout) and threads it through input parsing and settings.
  • Updates documentation and adds test coverage for the new safety checks.
Show a summary per file
File Description
src/unsafe-pr-checkout-helper.ts New helper that blocks unsafe fork PR checkout patterns in privileged events unless opted in.
src/ref-helper.ts Exports fromPayload for reuse by the new safety helper.
src/input-helper.ts Parses allow-unsafe-pr-checkout and invokes the new safety assertion during input handling.
src/git-source-settings.ts Extends settings interface with allowUnsafePrCheckout.
README.md Documents the new input and its intent.
action.yml Adds the new input to the action metadata.
test/unsafe-pr-checkout-helper.test.ts New unit tests validating allow/refuse behavior across events and patterns.
test/input-helper.test.ts Asserts the new setting defaults to false.
test/git-auth-helper.test.ts Updates test settings object to include the new required field.
dist/index.js Bundled output updated to include the new logic.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 9/10 changed files
  • Comments generated: 4
Comment thread src/unsafe-pr-checkout-helper.ts
Comment thread src/unsafe-pr-checkout-helper.ts
Comment thread README.md Outdated
Comment thread action.yml
Comment thread src/unsafe-pr-checkout-helper.ts Outdated
Comment thread src/unsafe-pr-checkout-helper.ts
yaananth
yaananth previously approved these changes Jun 15, 2026
@aiqiaoy aiqiaoy merged commit f9e715a into main Jun 16, 2026
12 checks passed
@aiqiaoy aiqiaoy deleted the enforce-safe-checkout branch June 16, 2026 14:03
doonga pushed a commit to greyrock-labs/home-ops that referenced this pull request Jun 18, 2026
…(#332)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://github.com/actions/checkout) | action | major | `v6.0.3` → `v7.0.0` |

---

### Release Notes

<details>
<summary>actions/checkout (actions/checkout)</summary>

### [`v7.0.0`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v700)

[Compare Source](actions/checkout@v6.0.3...v7.0.0)

- Block checking out fork PR for pull\_request\_target and workflow\_run by [@&#8203;aiqiaoy](https://github.com/aiqiaoy) in [#&#8203;2454](actions/checkout#2454)
- Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;2458](actions/checkout#2458)
- Bump flatted from 3.3.1 to 3.4.2 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;2460](actions/checkout#2460)
- Bump js-yaml from 4.1.0 to 4.2.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;2461](actions/checkout#2461)
- Bump [@&#8203;actions/core](https://github.com/actions/core) and [@&#8203;actions/tool-cache](https://github.com/actions/tool-cache) and Remove uuid by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;2459](actions/checkout#2459)
- upgrade module to esm and update dependencies by [@&#8203;aiqiaoy](https://github.com/aiqiaoy) in [#&#8203;2463](actions/checkout#2463)
- Bump the minor-npm-dependencies group across 1 directory with 3 updates by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;2462](actions/checkout#2462)

</details>

---

### Configuration

📅 **Schedule**: (in timezone America/New_York)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMjQuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIyNC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJyZW5vdmF0ZS9naXRodWItYWN0aW9uIiwicmVub3ZhdGUvZ2l0aHViLXJlbGVhc2UiLCJ0eXBlL21ham9yIl19-->

Reviewed-on: https://git.greyrock.io/greyrock-labs/home-ops/pulls/332
@fproulx-boostsecurity

Copy link
Copy Markdown

This is awesome @aiqiaoy !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

7 participants