GitHub Blocks Pwn Request Attacks in actions/checkout

Michael Miller · 2026-06-23

GitHub just made a big move to lock down software supply chain security. They updated `actions/checkout` to block pwn request attacks, which exploit the risky `pull_request_target` workflow trigger. These attacks let bad actors run malicious code with the workflow's full privileges, which is a nightmare for developers. Starting June 18, 2026, the latest version of `actions/checkout` will automatically block these common attack patterns. It's the official GitHub action for checking out a repository into your workflow runner, so this update is huge for anyone using GitHub Actions. ### What Are Pwn Request Attacks? A pwn request attack happens when someone submits a pull request, and the workflow uses `pull_request_target` instead of `pull_request`. The difference? `pull_request_target` runs with full write permissions and has access to repository secrets. Attackers can inject malicious code into the PR that gets executed by the workflow, stealing tokens or modifying your code. Think of it like this: you're letting a stranger into your house, but instead of just the living room, you give them the keys to every room. That's `pull_request_target` without proper safeguards. ### How GitHub's Update Protects You The new `actions/checkout` version blocks these attacks by default. It doesn't just trust the PR code blindly. Instead, it checks for suspicious patterns and stops execution before any damage happens. This is a game-changer for teams that rely on automated workflows. Here's what the update does: - Blocks code execution from untrusted PRs - Prevents access to secrets when using `pull_request_target` - Adds built-in checks for common attack vectors - Works seamlessly with existing workflows ### Why This Matters for Your Team If you're using GitHub Actions for CI/CD, this update is critical. Even if you think your workflows are secure, pwn request attacks are sneaky. They exploit a fundamental trust issue in how workflows handle PRs. The update removes that risk without you having to change anything. Just update your `actions/checkout` version after June 18, 2026, and you're covered. No extra configuration, no breaking changes. It's one less thing to worry about. ### What You Need to Do 1. Check your current `actions/checkout` version 2. Update to the latest version after June 18, 2026 3. Review any workflows using `pull_request_target` 4. Consider switching to `pull_request` if possible That's it. GitHub did the heavy lifting. You just need to update your action reference in your workflow files. ### The Bigger Picture This update is part of a broader push to improve software supply chain security. We've seen too many attacks through compromised CI/CD pipelines. By blocking pwn requests, GitHub is closing a major vulnerability that many teams didn't even know existed. For developers in the United States, this is especially relevant. With more companies moving to cloud-native development, securing GitHub Actions is table stakes. The update costs nothing but saves you from potential breaches that could cost thousands of dollars. Remember, security isn't just about passwords and firewalls. It's about how your automation handles trust. GitHub's update makes that trust a lot safer.