How to Safely Trigger on pull_request_target in GitHub Actions
pull_request_target runs in the base repo context with write access and secrets, so treat any PR code it touches as untrusted.
Use on.pull_request_target when you need write permissions or secrets on a fork PR (labeling, commenting). Do not check out and build the PR head, or you run untrusted code with your token.
Steps
- Add
pull_request_target:underon. - Keep steps limited to trusted automation (labels, comments).
- Do not
checkoutthe PR head ref and execute its scripts.
Workflow
.github/workflows/labeler.yml
on:
pull_request_target:
types: [opened, reopened]
permissions:
pull-requests: write
jobs:
label:
runs-on: ubuntu-latest
steps:
- uses: actions/labeler@v5Gotchas
- The workflow file that runs is the one on the base branch, not the PR, so attackers cannot edit it in the PR.
- If you must build PR code, do it in a separate
pull_requestworkflow that has no secrets.
Related guides
How to Trigger a Workflow on a Pull Request in GitHub ActionsRun GitHub Actions checks on pull requests with the pull_request event, filtering on activity types like open…
How to Trigger a Workflow When the Repository Is Forked in GitHub ActionsRun a GitHub Actions workflow when someone forks your repository using the fork event, for maintainer notific…