GHA-SEC007`pull_request_target` and External SHA
Problem Statement
`pull_request_target` runs with write access and can execute untrusted code.
Vulnerability
Repository Compromise
Code Examples
Insecure Implementation
- uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}Secure Implementation
on: pull_requestRemediation Steps
- Use `pull_request` instead of `pull_request_target` for untrusted contributions.