The Bottom Line: GitHub restricts actions/checkout to prevent attackers from executing code with full workflow privileges via pull_request_target trigger.
GitHub updates the “actions/checkout” action as of June 18, 2026, to block attacks on pull request workflows that execute malware with full workflow privileges.
With the update to “actions/checkout” as of June 18, 2026, GitHub is targeting a known attack class: pwn request attacks that exploit the “pull_request_target” workflow trigger. This trigger was originally designed for automated checks on pull requests — it loads code from a fork or branch in a request, but executes it with the full permissions of the target repository.
Attackers who control a fork can inject arbitrary code within pull requests and then extract secrets, credentials, or access tokens from the CI/CD pipeline. Because pull_request_target grants this malware code full access, it creates a direct supply chain threat — especially when the affected repository publishes production code or is used in dependent projects.
The block in “actions/checkout” enforces protective measures that restrict checkout behavior when running under the “pull_request_target” trigger. This prevents common attack parameters and forces maintainers to make more conscious decisions about permission assignment. For standard workflows using the “pull_request” trigger, there is no impact.
For engineers, this means: if your project uses “pull_request_target,” review your workflow configuration after June 18 for potential errors. The official GitHub documentation contains best practices for secure handling of untrusted code in pull request workflows.
Source: thehackernews.com · Published June 23, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.