backport allow-unsafe-pr-checkout to v3 (#2503)

* block checking out fork pr for pull_request_target and workflow_run (#2454)

* block checking out fork pr for some events

* address copilot and reviewer feedback

* run prettier formatting

* build

* update urls

* update readme

* update description and url again

* edit url one more time

* update error wording (#2467)

* Upgrade upload-artifact action to version 4
This commit is contained in:
Aiqiao Yan
2026-07-07 16:34:20 -04:00
committed by GitHub
parent f43a0e5ff2
commit 58246fdaeb
11 changed files with 508 additions and 4 deletions

View File

@@ -86,6 +86,15 @@ inputs:
github-server-url:
description: The base URL for the GitHub instance that you are trying to clone from, will use environment defaults to fetch from the same instance that the workflow is running from unless specified. Example URLs are https://github.com or https://my-ghes-server.example.com
required: false
allow-unsafe-pr-checkout:
description: >
Required to check out fork pull request code from a workflow triggered by
`pull_request_target` or `workflow_run`. These workflows run with the
base repository's GITHUB_TOKEN, secrets, default-branch cache scope, and
runner access; fetching and executing a fork's code in that trusted
context commonly leads to "pwn request" vulnerabilities. Set to `true`
only after reviewing the risks at https://gh.io/securely-using-pull_request_target.
default: false
runs:
using: node16
main: dist/index.js