GitHub actions/checkout Kills Pwn Request Attacks on June 18

GitHub is cutting off one of the most abused attack surfaces in CI/CD: pwn request attacks that rely on the pull_request_target trigger. Starting June 18, 2026, the updated actions/checkout action will block these exploits by default.

How Pwn Requests Slip Past Your Guard

Pwn request attacks aren't new. An attacker opens a pull request from a forked repo and embeds malicious code that the workflow runs with full write permissions. The dangerous combination is pull_request_target (which grants secrets and a write token) plus an action that checks out the PR's code without sanitization. actions/checkout is the most popular way to fetch that code, so hardening it directly shuts down the whole class of attacks.

What Changes on June 18

The updated actions/checkout will refuse to check out pull request code when the pull_request_target trigger is active, unless the workflow explicitly opts into the risk. No more silent git clone of attacker-controlled trees into a privileged context. GitHub isn't removing the trigger - teams can still use it for label actions or comment parsing - but they can't blindly fetch PR code anymore.

Why This Matters Now

Supply-chain attacks through CI/CD are exploding. The pull_request_target pattern is one of those footguns that everyone knows is dangerous but nobody patches until a breach forces it. GitHub's deadline gives teams four years to audit their workflows and adopt safer patterns like using pull_request with read-only tokens, or explicitly checking out only the base branch. If you're using actions/checkout inside a pull_request_target workflow today, June 18, 2026 is the drop-dead date to rewrite that logic.

Source: GitHub Updates actions/checkout to Block Common Pwn Request Attack Patterns
Domain: thehackernews.com