actions/checkout
1
0
Fork 0
mirror of https://github.com/actions/checkout.git synced 2026-06-16 17:04:54 +08:00
Code Issues Packages Projects Releases Wiki Activity

update urls

Browse Source
This commit is contained in:
Aiqiao Yan
2026-06-15 20:07:36 +00:00
parent c2edb9a740
commit 678aa28ba1
4 changed files with 16 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@@ -162,8 +162,11 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
github-server-url: ''
# Required to check out fork pull request code from a workflow triggered by
# `pull_request_target` or `workflow_run`. See [Pwn Requests](todo:need-link) for
# the risks. Set to `true` only after reviewing the risks.
# `pull_request_target` or `workflow_run`. These workflows run with the base
# repository's GITHUB_TOKEN, secrets, default-branch cache scope, and runner
# access; fetching a fork's code in that trusted context is the "pwn request"
# supply-chain attack pattern. Set to `true` only after reviewing the risks at
# https://gh.io/allow-unsafe-pr-checkout.
# Default: false
allow-unsafe-pr-checkout: ''
```

7
action.yml
View File

@@ -101,8 +101,11 @@ inputs:
allow-unsafe-pr-checkout:
description: >
Required to check out fork pull request code from a workflow triggered by
`pull_request_target` or `workflow_run`. See [Pwn Requests](todo:need-link)
for the risks. Set to `true` only after reviewing the risks.
`pull_request_target` or `workflow_run`. These workflows run with the
base repository's GITHUB_TOKEN, secrets, default-branch cache scope, and
runner access; fetching a fork's code in that trusted context is a
"pwn request" supply-chain attack pattern. Set to `true` only after
reviewing the risks at https://gh.io/allow-unsafe-pr-checkout.
default: false
outputs:
ref:

5
dist/index.js vendored
View File

@@ -2833,8 +2833,9 @@ function assertSafePrCheckout(input) {
throw new Error(`Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
`This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
`cache scope, and runner access. Fetching fork's code in that trusted context is a ` +
`"pwn request" supply-chain attack pattern. To opt in after reviewing the risk, set ` +
`'allow-unsafe-pr-checkout: true' on the actions/checkout step.`);
`"pwn request" supply-chain attack pattern. To opt in after reviewing the risks at ` +
`https://gh.io/allow-unsafe-pr-checkout, set 'allow-unsafe-pr-checkout: true' on the ` +
`actions/checkout step.`);
}
function pushIfSha(target, value) {
if (typeof value === 'string' && value.length > 0) {

5
src/unsafe-pr-checkout-helper.ts
View File

@@ -75,8 +75,9 @@ export function assertSafePrCheckout(input: IUnsafePrCheckoutInput): void {
`Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
`This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
`cache scope, and runner access. Fetching fork's code in that trusted context is a ` +
`"pwn request" supply-chain attack pattern. To opt in after reviewing the risk, set ` +
`'allow-unsafe-pr-checkout: true' on the actions/checkout step.`
`"pwn request" supply-chain attack pattern. To opt in after reviewing the risks at ` +
`https://gh.io/allow-unsafe-pr-checkout, set 'allow-unsafe-pr-checkout: true' on the ` +
`actions/checkout step.`
)
}