Skip to content

docs: security hardening info for actions untrusted content #38048

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 12 commits into
base: main
Choose a base branch
from
+81 −3
Open

docs: security hardening info for actions untrusted content #38048

Changes from 1 commit
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
81db9f3
docs: untrusted code risks in actions
wrslatz Apr 29, 2025
e4df5a1
docs: expand pull_request_target warning links
wrslatz Apr 29, 2025
bccd376
docs: warning for workflow_run security risks
wrslatz Apr 29, 2025
e6a50fb
Update content/actions/how-tos/security-for-github-actions/security-g…
Sharra-writes Jul 10, 2025
834a877
Update content/actions/how-tos/security-for-github-actions/security-g…
Sharra-writes Jul 10, 2025
809c2c5
Update content/actions/how-tos/security-for-github-actions/security-g…
Sharra-writes Jul 10, 2025
d03bd88
Update data/reusables/actions/pull-request-target-permissions-warning.md
Sharra-writes Jul 10, 2025
b1ff7f6
Update data/reusables/actions/workflow-run-permissions-warning.md
Sharra-writes Jul 10, 2025
1871bfa
docs: sync hardening info to enterprise-onboarding
wrslatz Jul 10, 2025
153ca42
docs: fix grammar and improve content in reusables
wrslatz Jul 14, 2025
f710cb9
Merge branch 'main' into gha-hardening-pull-request-target
wrslatz Aug 7, 2025
ae2c0e4
Merge branch 'main' into gha-hardening-pull-request-target
wrslatz Aug 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Update content/actions/how-tos/security-for-github-actions/security-g… 
…uides/security-hardening-for-github-actions.md

Co-authored-by: Jaroslav Lobačevski <jarlob@github.com>
Co-authored-by: Will Slattum <wrslatz@gmail.com>
  • Loading branch information
@Sharra-writes @JarLob @wrslatz
3 people committed Jul 30, 2025
commit 834a87794fca9edb8b494ffae49cfa3e43615e1b
2 changes: 1 addition & 1 deletion content/actions/reference/security/secure-use.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ To help mitigate the risk of an exposed token, consider restricting the assigned

## Understanding the risks of untrusted code checkout

Similar to script injection attacks, untrusted pull request content that automatically triggers Actions processing can also pose a security risk. The `pull_request_target` and `workflow_run` workflow triggers, when used with the checkout of an untrusted pull request, expose the repository to security compromises. These workflows have write access and access to secrets in the target repository, which can be exploited to take over a repository.
Similar to script injection attacks, untrusted pull request content that automatically triggers Actions processing can also pose a security risk. The `pull_request_target` and `workflow_run` workflow triggers, when used with the checkout of an untrusted pull request, expose the repository to security compromises. These workflows are privileged (i.e. they share the same cache of the main branch with other privileged workflow triggers, may have repository write access and access to referenced secrets), which can be exploited to take over a repository.

Review the [`pull_request_target` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) and the [`workflow_run` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflow-run) for more information on these triggers, how to use them, and the risks associated with them.

Expand Down