GitHub Actions hardens checkout security to block ‘pwn request’ attacks
Summary
GitHub has released actions/checkout v7 to block 'pwn request' attacks, which exploit the pull_request_target workflow trigger (a setting that lets workflows access secrets when processing pull requests from outside contributors) to run attacker code with full privileges. The new version automatically blocks and fails workflows when they try to fetch unreviewed fork pull request code, unless developers explicitly opt out. Starting July 16, this security fix will be backported to all supported versions, marking a shift toward 'secure by default' design where security is enforced by the system rather than left to developers.
Solution / Mitigation
Update to actions/checkout v7, which "now automatically blocks and fails workflows when used inside pull_request_target or workflow_run events when attempting to fetch unreviewed fork pull request code." Workflows using floating major version tags (e.g., actions/checkout@v4) will automatically receive the fix on July 16. Workflows pinned to specific SHA, minor, or patch versions must upgrade manually using Dependabot or established upgrade processes. Developers who need the old behavior can add an explicit "allow-unsafe-pr-checkout" flag to actions/checkout.
Classification
Original source: https://www.csoonline.com/article/4188144/github-actions-hardens-checkout-security-to-block-pwn-request-attacks-2.html
First tracked: June 22, 2026 at 08:01 PM
Classified by LLM (prompt v3) · confidence: 95%