Skip to content
Latchkey

GitHub Actions pull_request_target checks out untrusted fork code

pull_request_target runs in the base repo context with secrets and a write token. Checking out the PR head runs untrusted fork code with those privileges, a serious risk.

What this error means

Code scanning or review flags a pull_request_target workflow that checks out the PR head and then runs build or test scripts from the fork.

github-actions
on: pull_request_target
jobs:
  build:
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}   # untrusted code with write token

Common causes

Checking out the fork head under pull_request_target

The event grants secrets and write access; running fork code lets it exfiltrate secrets or push.

Running build scripts from the PR

Any script in the checked-out fork code executes with the privileged token.

How to fix it

Avoid running untrusted code with privileges

  1. Use pull_request (not target) for builds that run PR code; it has no secrets and a read-only token.
  2. If you must use pull_request_target, do not check out or execute fork code; only handle metadata.
.github/workflows/ci.yml
on:
  pull_request:
permissions:
  contents: read

How to prevent it

  • Reserve pull_request_target for metadata-only automation like labeling.
  • Never check out PR head code in a pull_request_target job.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →