block checking out fork pr for some events

2026-06-18 10:17:13 +00:00 · 2026-06-12 19:12:01 +00:00
7 changed files with 28 additions and 65 deletions
--- a/README.md
+++ b/README.md
@@ -162,11 +162,8 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
    github-server-url: ''

    # Required to check out fork pull request code from a workflow triggered by
-    # `pull_request_target` or `workflow_run`. These workflows run with the base
-    # repository's GITHUB_TOKEN, secrets, default-branch cache scope, and runner
-    # access; fetching and executing a fork's code in that trusted context commonly
-    # leads to "pwn request" vulnerabilities. Set to `true` only after reviewing the
-    # risks at https://gh.io/securely-using-pull_request_target.
+    # `pull_request_target` or `workflow_run`. See [Pwn Requests](todo:need-link) for
+    # the risks. Set to `true` only after reviewing the risks.
    # Default: false
    allow-unsafe-pr-checkout: ''
 ```
--- a/test/unsafe-pr-checkout-helper.test.ts
+++ b/test/unsafe-pr-checkout-helper.test.ts
@@ -13,7 +13,6 @@ const PR_MERGE_SHA = '2222222222222222222222222222222222222222'
 const SAFE_BASE_SHA = '3333333333333333333333333333333333333333'
 const WORKFLOW_RUN_HEAD_COMMIT_SHA = '4444444444444444444444444444444444444444'
 const BASE_QUALIFIED_REPO = 'some-owner/some-repo'
-const FORK_QUALIFIED_REPO = 'another-repo/fork'

 function setContext(eventName: string, payload: object): void {
  ;(github.context as {eventName: string}).eventName = eventName
@@ -26,7 +25,7 @@ function forkPullRequestTargetPayload(): object {
    pull_request: {
      head: {
        sha: PR_HEAD_SHA,
-        repo: {id: FORK_REPO_ID, full_name: FORK_QUALIFIED_REPO}
+        repo: {id: FORK_REPO_ID}
      },
      merge_commit_sha: PR_MERGE_SHA
    }
@@ -39,7 +38,7 @@ function sameRepoPullRequestTargetPayload(): object {
    pull_request: {
      head: {
        sha: PR_HEAD_SHA,
-        repo: {id: BASE_REPO_ID, full_name: BASE_QUALIFIED_REPO}
+        repo: {id: BASE_REPO_ID}
      },
      merge_commit_sha: PR_MERGE_SHA
    }
@@ -52,7 +51,7 @@ function forkWorkflowRunPayload(): object {
    workflow_run: {
      event: 'pull_request',
      head_commit: {id: WORKFLOW_RUN_HEAD_COMMIT_SHA},
-      head_repository: {id: FORK_REPO_ID, full_name: FORK_QUALIFIED_REPO}
+      head_repository: {id: FORK_REPO_ID}
    }
  }
 }
@@ -165,7 +164,7 @@ describe('unsafe-pr-checkout-helper', () => {
    setContext('pull_request_target', forkPullRequestTargetPayload())
    expect(() =>
      assertSafePrCheckout({
-        qualifiedRepository: FORK_QUALIFIED_REPO,
+        qualifiedRepository: 'attacker/fork',
        ref: 'refs/heads/main',
        commit: '',
        allowUnsafePrCheckout: false
@@ -173,25 +172,13 @@ describe('unsafe-pr-checkout-helper', () => {
    ).toThrow()
  })

-  it('allows pull_request_target checkout of an unrelated third-party repo', () => {
-    setContext('pull_request_target', forkPullRequestTargetPayload())
-    expect(() =>
-      assertSafePrCheckout({
-        qualifiedRepository: 'some-other/unrelated',
-        ref: 'refs/heads/main',
-        commit: '',
-        allowUnsafePrCheckout: false
-      })
-    ).not.toThrow()
-  })
-
  it('refuses pull_request_target ignoring repository case differences', () => {
    setContext('pull_request_target', forkPullRequestTargetPayload())
    expect(() =>
      assertSafePrCheckout({
-        qualifiedRepository: FORK_QUALIFIED_REPO.toUpperCase(),
+        qualifiedRepository: 'SOME-OWNER/SOME-REPO',
        ref: '',
-        commit: '',
+        commit: PR_HEAD_SHA,
        allowUnsafePrCheckout: false
      })
    ).toThrow()
--- a/action.yml
+++ b/action.yml
@@ -101,11 +101,8 @@ inputs:
  allow-unsafe-pr-checkout:
    description: >
      Required to check out fork pull request code from a workflow triggered by
-      `pull_request_target` or `workflow_run`. These workflows run with the
-      base repository's GITHUB_TOKEN, secrets, default-branch cache scope, and
-      runner access; fetching and executing a fork's code in that trusted
-      context commonly leads to "pwn request" vulnerabilities. Set to `true`
-      only after reviewing the risks at https://gh.io/securely-using-pull_request_target.
+      `pull_request_target` or `workflow_run`. See [Pwn Requests](todo:need-link)
+      for the risks. Set to `true` only after reviewing the risks.
    default: false
 outputs:
  ref:
--- a/dist/index.js
+++ b/dist/index.js
@@ -2793,11 +2793,9 @@ function assertSafePrCheckout(input) {
        return;
    }
    let prHeadRepoId;
-    let prHeadRepoFullName;
    const prShas = [];
    if (eventName === 'pull_request_target') {
        prHeadRepoId = (0, ref_helper_1.fromPayload)('pull_request.head.repo.id');
-        prHeadRepoFullName = (0, ref_helper_1.fromPayload)('pull_request.head.repo.full_name');
        pushIfSha(prShas, (0, ref_helper_1.fromPayload)('pull_request.head.sha'));
        pushIfSha(prShas, (0, ref_helper_1.fromPayload)('pull_request.merge_commit_sha'));
    }
@@ -2807,13 +2805,7 @@ function assertSafePrCheckout(input) {
            return;
        }
        prHeadRepoId = (0, ref_helper_1.fromPayload)('workflow_run.head_repository.id');
-        prHeadRepoFullName = (0, ref_helper_1.fromPayload)('workflow_run.head_repository.full_name');
        pushIfSha(prShas, (0, ref_helper_1.fromPayload)('workflow_run.head_commit.id'));
-        // For `pull_request_target`-triggered workflow_run, `head_sha` is the base
-        // default branch SHA (not the PR head)
-        if (wrEvent !== 'pull_request_target') {
-            pushIfSha(prShas, (0, ref_helper_1.fromPayload)('workflow_run.head_sha'));
-        }
    }
    // (A) Fork PR?
    if (typeof prHeadRepoId !== 'number' || prHeadRepoId === baseRepoId) {
@@ -2821,20 +2813,20 @@ function assertSafePrCheckout(input) {
    }
    // (B) We cannot check for all fork PR refs so check to see
    // if the resolved input points to the fork PR sha we have in the payload
-    const repositoryMatchesPrHead = typeof prHeadRepoFullName === 'string' &&
-        input.qualifiedRepository.toLowerCase() === prHeadRepoFullName.toLowerCase();
+    const baseQualifiedRepository = `${github.context.repo.owner}/${github.context.repo.repo}`;
+    const repositoryDiffersFromBase = input.qualifiedRepository.toLowerCase() !==
+        baseQualifiedRepository.toLowerCase();
    const refMatchesPullPattern = PR_REF_PATTERN.test(input.ref);
    const commitMatchesPrHeadSha = !!input.commit && prShas.includes(input.commit.toLowerCase());
-    if (!repositoryMatchesPrHead &&
+    if (!repositoryDiffersFromBase &&
        !refMatchesPullPattern &&
        !commitMatchesPrHeadSha) {
        return;
    }
    throw new Error(`Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
        `This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
-        `cache scope, and runner access. Fetching and executing a fork's code in that trusted ` +
-        `context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` +
-        `the risks at https://gh.io/securely-using-pull_request_target, set ` +
+        `cache scope, and runner access. Fetching fork's code in that trusted context is a ` +
+        `"pwn request" supply-chain attack pattern. To opt in after reviewing the risk, set ` +
        `'allow-unsafe-pr-checkout: true' on the actions/checkout step.`);
 }
 function pushIfSha(target, value) {
--- a/package-lock.json
+++ b/package-lock.json
@@ -14,7 +14,6 @@
        "@actions/github": "^6.0.0",
        "@actions/io": "^1.1.3",
        "@actions/tool-cache": "^2.0.1",
-        "flatted": "^3.4.2",
        "uuid": "^9.0.1"
      },
      "devDependencies": {
@@ -3591,10 +3590,10 @@
      }
    },
    "node_modules/flatted": {
-      "version": "3.4.2",
-      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
-      "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
-      "license": "ISC"
+      "version": "3.3.1",
+      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.1.tgz",
+      "integrity": "sha512-X8cqMLLie7KsNUDSdzeN8FYK9rEt4Dt67OsG/DNGnYTSDBG4uFAJFBnUeiV+zCVAvwFy56IjM9sH51jVaEhNxw==",
+      "dev": true
    },
    "node_modules/for-each": {
      "version": "0.3.3",
--- a/package.json
+++ b/package.json
@@ -33,7 +33,6 @@
    "@actions/github": "^6.0.0",
    "@actions/io": "^1.1.3",
    "@actions/tool-cache": "^2.0.1",
-    "flatted": "^3.4.2",
    "uuid": "^9.0.1"
  },
  "devDependencies": {
--- a/src/unsafe-pr-checkout-helper.ts
+++ b/src/unsafe-pr-checkout-helper.ts
@@ -6,7 +6,7 @@ const PR_REF_PATTERN = /^refs\/pull\/[0-9]+\/(?:head|merge)$/
 export interface IUnsafePrCheckoutInput {
  qualifiedRepository: string
  ref: string
-  commit: string | undefined
+  commit: string
  allowUnsafePrCheckout: boolean
 }

@@ -26,12 +26,10 @@ export function assertSafePrCheckout(input: IUnsafePrCheckoutInput): void {
  }

  let prHeadRepoId: unknown
-  let prHeadRepoFullName: unknown
  const prShas: string[] = []

  if (eventName === 'pull_request_target') {
    prHeadRepoId = fromPayload('pull_request.head.repo.id')
-    prHeadRepoFullName = fromPayload('pull_request.head.repo.full_name')
    pushIfSha(prShas, fromPayload('pull_request.head.sha'))
    pushIfSha(prShas, fromPayload('pull_request.merge_commit_sha'))
  } else {
@@ -40,13 +38,7 @@ export function assertSafePrCheckout(input: IUnsafePrCheckoutInput): void {
      return
    }
    prHeadRepoId = fromPayload('workflow_run.head_repository.id')
-    prHeadRepoFullName = fromPayload('workflow_run.head_repository.full_name')
    pushIfSha(prShas, fromPayload('workflow_run.head_commit.id'))
-    // For `pull_request_target`-triggered workflow_run, `head_sha` is the base
-    // default branch SHA (not the PR head)
-    if (wrEvent !== 'pull_request_target') {
-      pushIfSha(prShas, fromPayload('workflow_run.head_sha'))
-    }
  }

  // (A) Fork PR?
@@ -56,15 +48,16 @@ export function assertSafePrCheckout(input: IUnsafePrCheckoutInput): void {

  // (B) We cannot check for all fork PR refs so check to see
  // if the resolved input points to the fork PR sha we have in the payload
-  const repositoryMatchesPrHead =
-    typeof prHeadRepoFullName === 'string' &&
-    input.qualifiedRepository.toLowerCase() === prHeadRepoFullName.toLowerCase()
+  const baseQualifiedRepository = `${github.context.repo.owner}/${github.context.repo.repo}`
+  const repositoryDiffersFromBase =
+    input.qualifiedRepository.toLowerCase() !==
+    baseQualifiedRepository.toLowerCase()
  const refMatchesPullPattern = PR_REF_PATTERN.test(input.ref)
  const commitMatchesPrHeadSha =
    !!input.commit && prShas.includes(input.commit.toLowerCase())

  if (
-    !repositoryMatchesPrHead &&
+    !repositoryDiffersFromBase &&
    !refMatchesPullPattern &&
    !commitMatchesPrHeadSha
  ) {
@@ -74,9 +67,8 @@ export function assertSafePrCheckout(input: IUnsafePrCheckoutInput): void {
  throw new Error(
    `Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
      `This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
-      `cache scope, and runner access. Fetching and executing a fork's code in that trusted ` +
-      `context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` +
-      `the risks at https://gh.io/securely-using-pull_request_target, set ` +
+      `cache scope, and runner access. Fetching fork's code in that trusted context is a ` +
+      `"pwn request" supply-chain attack pattern. To opt in after reviewing the risk, set ` +
      `'allow-unsafe-pr-checkout: true' on the actions/checkout step.`
  )
 }