Skip to content
Latchkey

How to Safely Trigger on pull_request_target in GitHub Actions

pull_request_target runs in the base repo context with write access and secrets, so treat any PR code it touches as untrusted.

Use on.pull_request_target when you need write permissions or secrets on a fork PR (labeling, commenting). Do not check out and build the PR head, or you run untrusted code with your token.

Steps

  • Add pull_request_target: under on.
  • Keep steps limited to trusted automation (labels, comments).
  • Do not checkout the PR head ref and execute its scripts.

Workflow

.github/workflows/labeler.yml
on:
  pull_request_target:
    types: [opened, reopened]
permissions:
  pull-requests: write
jobs:
  label:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/labeler@v5

Gotchas

  • The workflow file that runs is the one on the base branch, not the PR, so attackers cannot edit it in the PR.
  • If you must build PR code, do it in a separate pull_request workflow that has no secrets.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →