GitHub Strengthens Software Supply Chain Security by Updating actions/checkout to Block Pwn Request Attacks
In a significant move to bolster software supply chain security, GitHub has announced an update to its “actions/checkout” feature, aimed at mitigating the risks associated with pwn request attacks. These attacks exploit vulnerabilities in the “pull_request_target” workflow trigger, allowing malicious code to execute with full privileges within a workflow. This update is crucial as it addresses a growing concern in the cybersecurity landscape, particularly regarding the integrity of open-source software.
Update Details and Implementation Timeline
Effective June 18, 2026, the latest iteration of “actions/checkout” will automatically reject common pwn request patterns. This change is set to be backported to all currently supported major versions by July 16, 2026. The update specifically targets scenarios where pull requests originate from forks, which have historically been a vector for exploitation.
GitHub’s announcement clarifies that “actions/checkout v7” will not fetch code from fork pull requests in “pull_request_target” and “workflow_run” workflows, particularly when the latter is triggered by pull request events. This proactive measure aims to prevent unauthorized access to sensitive information and maintain the integrity of workflows.
Criteria for Refusal
The refusal to fetch code will occur under specific conditions unless workflow authors explicitly opt out by enabling the “allow-unsafe-pr-checkout” flag. The criteria include:
- The repository resolves to the fork pull request’s repository.
- The reference matches either
refs/pull/number/headorrefs/pull/number/merge. - The reference resolves to a fork pull request’s head or merge commit SHA.
These measures are designed to thwart the most prevalent forms of pwn requests within the GitHub Actions ecosystem, ensuring that workflows remain secure from malicious inputs.
Understanding the Risks of pull_request_target
The “pull_request_target” trigger is designed to automate workflows without requiring manual approval when a pull request is opened, reopened, or updated. However, this convenience comes with significant risks. The event operates in the context of the base repository’s default branch, which can inadvertently expose sensitive data, including the GITHUB_TOKEN with both read and write permissions.
GitHub’s documentation warns that executing untrusted code within this trigger can lead to severe vulnerabilities, such as cache poisoning and unauthorized access to secrets. The potential for exploitation increases when a malicious actor submits a pull request containing harmful scripts, which, if executed, could compromise the GITHUB_TOKEN and other sensitive information.
Recent Exploits and Industry Implications
Recent months have witnessed a surge in software supply chain attacks, leveraging the vulnerabilities associated with the “pull_request_target” trigger. Notably, the compromise of multiple packages linked to the Nx build system, part of a campaign dubbed “s1ngularity,” exemplifies the severity of these threats. Other notable breaches include incidents involving PostHog, TanStack, and the popular Emacs package, “kubernetes-el.”
These incidents underscore the necessity for robust security measures in the software supply chain, as attackers increasingly target open-source projects. The update to “actions/checkout” is a critical step in addressing these vulnerabilities and restoring confidence in the security of GitHub Actions.
The Role of Trusted Automation
The “pull_request_target” trigger was initially designed for trusted automation tasks, such as labeling and commenting on pull requests. However, the checkout step plays a pivotal role in determining which code is executed within the workflow. If code from a forked pull request is pulled, it can lead to the execution of attacker-controlled code with the base repository’s privileges.
GitHub emphasizes that while this update significantly mitigates risks associated with fork pull requests, it does not encompass all potential vulnerabilities. Pwn requests triggered by other event types, such as issue comments or through alternative means like Git or the GitHub CLI, remain outside the scope of this change.
Recommendations for Developers
To further mitigate risks associated with “pull_request_target,” developers are advised to evaluate its necessity in their workflows. If elevated permissions or access to secrets are not required, switching to the “pull_request” trigger is recommended. Additionally, developers should restrict permissions granted to workflows and ensure that user-controlled input does not lead to the execution of untrusted code.
GitHub acknowledges that the protections introduced in this update are not exhaustive. While they provide a critical guardrail, workflows that involve secrets, write permissions, deployment permissions, or OIDC publishing access require thorough review to ensure security.
In conclusion, the update to “actions/checkout” represents a pivotal advancement in GitHub’s efforts to enhance software supply chain security. By addressing the vulnerabilities associated with pwn request attacks, GitHub is taking significant steps to protect developers and organizations from potential exploitation.
Source: thehackernews.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
