run prettier formatting

address copilot and reviewer feedback
block checking out fork pr for some events
2026-06-18 10:17:13 +00:00 · 2026-06-15 16:18:29 +00:00 · 2026-06-15 16:12:03 +00:00 · 2026-06-12 19:12:01 +00:00
6 changed files with 14 additions and 23 deletions
--- a/README.md
+++ b/README.md
@@ -162,11 +162,8 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
    github-server-url: ''

    # Required to check out fork pull request code from a workflow triggered by
-    # `pull_request_target` or `workflow_run`. These workflows run with the base
-    # repository's GITHUB_TOKEN, secrets, default-branch cache scope, and runner
-    # access; fetching and executing a fork's code in that trusted context commonly
-    # leads to "pwn request" vulnerabilities. Set to `true` only after reviewing the
-    # risks at https://gh.io/securely-using-pull_request_target.
+    # `pull_request_target` or `workflow_run`. See [Pwn Requests](todo:need-link) for
+    # the risks. Set to `true` only after reviewing the risks.
    # Default: false
    allow-unsafe-pr-checkout: ''
 ```
--- a/action.yml
+++ b/action.yml
@@ -101,11 +101,8 @@ inputs:
  allow-unsafe-pr-checkout:
    description: >
      Required to check out fork pull request code from a workflow triggered by
-      `pull_request_target` or `workflow_run`. These workflows run with the
-      base repository's GITHUB_TOKEN, secrets, default-branch cache scope, and
-      runner access; fetching and executing a fork's code in that trusted
-      context commonly leads to "pwn request" vulnerabilities. Set to `true`
-      only after reviewing the risks at https://gh.io/securely-using-pull_request_target.
+      `pull_request_target` or `workflow_run`. See [Pwn Requests](todo:need-link)
+      for the risks. Set to `true` only after reviewing the risks.
    default: false
 outputs:
  ref:
--- a/dist/index.js
+++ b/dist/index.js
@@ -2822,7 +2822,8 @@ function assertSafePrCheckout(input) {
    // (B) We cannot check for all fork PR refs so check to see
    // if the resolved input points to the fork PR sha we have in the payload
    const repositoryMatchesPrHead = typeof prHeadRepoFullName === 'string' &&
-        input.qualifiedRepository.toLowerCase() === prHeadRepoFullName.toLowerCase();
+        input.qualifiedRepository.toLowerCase() ===
+            prHeadRepoFullName.toLowerCase();
    const refMatchesPullPattern = PR_REF_PATTERN.test(input.ref);
    const commitMatchesPrHeadSha = !!input.commit && prShas.includes(input.commit.toLowerCase());
    if (!repositoryMatchesPrHead &&
@@ -2832,9 +2833,8 @@ function assertSafePrCheckout(input) {
    }
    throw new Error(`Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
        `This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
-        `cache scope, and runner access. Fetching and executing a fork's code in that trusted ` +
-        `context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` +
-        `the risks at https://gh.io/securely-using-pull_request_target, set ` +
+        `cache scope, and runner access. Fetching fork's code in that trusted context is a ` +
+        `"pwn request" supply-chain attack pattern. To opt in after reviewing the risk, set ` +
        `'allow-unsafe-pr-checkout: true' on the actions/checkout step.`);
 }
 function pushIfSha(target, value) {
--- a/package-lock.json
+++ b/package-lock.json
@@ -14,7 +14,6 @@
        "@actions/github": "^6.0.0",
        "@actions/io": "^1.1.3",
        "@actions/tool-cache": "^2.0.1",
-        "flatted": "^3.4.2",
        "uuid": "^9.0.1"
      },
      "devDependencies": {
@@ -3591,10 +3590,10 @@
      }
    },
    "node_modules/flatted": {
-      "version": "3.4.2",
-      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
-      "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
-      "license": "ISC"
+      "version": "3.3.1",
+      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.1.tgz",
+      "integrity": "sha512-X8cqMLLie7KsNUDSdzeN8FYK9rEt4Dt67OsG/DNGnYTSDBG4uFAJFBnUeiV+zCVAvwFy56IjM9sH51jVaEhNxw==",
+      "dev": true
    },
    "node_modules/for-each": {
      "version": "0.3.3",
--- a/package.json
+++ b/package.json
@@ -33,7 +33,6 @@
    "@actions/github": "^6.0.0",
    "@actions/io": "^1.1.3",
    "@actions/tool-cache": "^2.0.1",
-    "flatted": "^3.4.2",
    "uuid": "^9.0.1"
  },
  "devDependencies": {
--- a/src/unsafe-pr-checkout-helper.ts
+++ b/src/unsafe-pr-checkout-helper.ts
@@ -74,9 +74,8 @@ export function assertSafePrCheckout(input: IUnsafePrCheckoutInput): void {
  throw new Error(
    `Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
      `This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
-      `cache scope, and runner access. Fetching and executing a fork's code in that trusted ` +
-      `context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` +
-      `the risks at https://gh.io/securely-using-pull_request_target, set ` +
+      `cache scope, and runner access. Fetching fork's code in that trusted context is a ` +
+      `"pwn request" supply-chain attack pattern. To opt in after reviewing the risk, set ` +
      `'allow-unsafe-pr-checkout: true' on the actions/checkout step.`
  )
 }
Author	SHA1	Message	Date
Aiqiao Yan	c12eb249cb	run prettier formatting	2026-06-15 16:18:29 +00:00
Aiqiao Yan	12a489776f	address copilot and reviewer feedback	2026-06-15 16:12:03 +00:00
Aiqiao Yan	b8447332b0	block checking out fork pr for some events	2026-06-12 19:12:01 +00:00