William OGOU Cybersecurity Blog

Published

- 12 min read

GitHub Checkout v7 Blocks Pwn Request Attacks: Secure by Default

By William OGOU
GitHub ActionsPwn RequestSupply Chain Attackpull_request_targetactions/checkoutDevSecOpsCI/CD Security
img of GitHub Checkout v7 Blocks Pwn Request Attacks: Secure by Default

After years of trying to educate developers to use pull_request_target securely, GitHub has finally stopped asking and started enforcing. On June 18, 2026, the platform shipped actions/checkout v7, which automatically blocks and fails workflows when used inside pull_request_target or workflow_run events that attempt to fetch unreviewed fork pull request code.

The change closes one of the most abused blind spots in the software supply chain the “pwn request” attack pattern that has fueled campaigns like TeamPCP’s compromise of 170 npm packages including the TanStack Router ecosystem. It signals the beginning of a “secure by default” era in which GitHub defines safety at the platform level rather than leaving it to the discretion of individual developers.

Here is the technical breakdown of how the pwn request exploit worked, what actions/checkout v7 changes, and which supply chain gaps still remain open after this fix.

GitHub Actions Checkout v7 Blocks Pwn Requests

What to Remember

  • actions/checkout v7 blocks pwn requests by default it refuses to fetch fork pull request code inside pull_request_target and workflow_run workflows without an explicit allow-unsafe-pr-checkout opt-in.
  • The fix backports to all supported major versions on July 16, 2026 workflows pinned to a floating major tag like actions/checkout@v4 will pick up the change automatically. SHA-pinned workflows need a manual upgrade.
  • The root cause was never the trigger itself pull_request_target is legitimate and secure when used correctly. The vulnerability is in checking out untrusted fork code inside a workflow that runs with the base repository’s secrets and GITHUB_TOKEN.
  • Real-world damage was already done TeamPCP weaponized this exact pattern in the Mini Shai-Hulud attack that compromised 170+ npm packages, and in the Megalodon campaign that hit 5,500+ GitHub repositories.
  • This is a guardrail, not a complete solution pwn requests triggered via other event types (issue_comment), through git or the GitHub CLI, or by checking out unrelated third-party repositories remain out of scope.

The Pwn Request Exploit: How It Worked

To understand why this fix matters, you need to understand the attack it neutralizes. The pwn request exploit is not a vulnerability in a single component it is a dangerous composition of two legitimate GitHub Actions features.

The Trigger: pull_request_target

GitHub Actions allows several triggers to run workflows in response to pull requests. The pull_request trigger processes third-party forks safely it does not give the workflow access to secrets such as API keys, service tokens, or credentials. The downside is that this restriction prevents some automations from working, which is why developers turn to an alternative trigger: pull_request_target.

pull_request_target is automatically run without requiring manual approval when a pull request is opened, reopened, or when the head branch is updated. The critical difference is that it runs in the context of the default branch of the base repository, with access to the base repository’s GITHUB_TOKEN, secrets, and default-branch cache. This makes it powerful for trusted automation around pull requests labeling, commenting, applying project metadata.

The Checkout: actions/checkout

The danger arises when pull_request_target is combined with actions/checkout to download and execute code submitted by an untrusted fork. If a bad actor submits a pull request containing malicious scripts and the workflow checks out and runs that code, the attacker’s code executes with the base repository’s full privileges including write access to the GITHUB_TOKEN and any configured secrets.

This is the pwn request attack: the attacker “pwns” the workflow by getting their untrusted code executed in a privileged context. As GitHub’s changelog puts it: “Checking out the head of an unreviewed pull request from a fork inside one of these workflows typically lets attacker-controlled code execute with the workflow’s full privileges.”

The Composition Problem

The weakness in pull_request_target is not the trigger itself, which is legitimate and secure when correctly used. It is in its incorrect use. Developers who need elevated permissions for automation reach for pull_request_target, then inadvertently check out the fork’s code instead of the base branch’s code, creating a privilege escalation path that runs attacker-controlled scripts with the repository’s secrets.

This is a classic case of a footgun a tool that is powerful but easy to misuse. For years, GitHub’s response was documentation and education. The platform published guidance advising developers to assess whether pull_request_target was necessary, to switch to pull_request when elevated permissions were not required, and to ensure user-controlled input did not result in execution of untrusted code. The attacks continued anyway.

What actions/checkout v7 Changes

The new version refuses common pwn request patterns by default. Specifically, actions/checkout v7 refuses to fetch fork pull request code in pull_request_target and workflow_run workflows (the latter only when workflow_run.event is a pull_request* event).

The refusal occurs when the pull request is from a fork, and any of the following criteria is met:

  • repository resolves to the fork pull request’s repository
  • ref matches refs/pull/<number>/head or refs/pull/<number>/merge
  • ref resolves to a fork pull request’s head or merge commit SHA

The only way around these checks is an explicit opt-out: developers must add allow-unsafe-pr-checkout set to true in their actions/checkout configuration. This forces teams to make a deliberate, visible choice to accept the risk rather than stumbling into it through careless configuration.

The Backport: July 16, 2026

The new defaults will be backported to all supported major versions on July 16, 2026. Workflows pinned to a floating major tag (for example, actions/checkout@v4) will automatically pick up the change. Workflows pinned to a specific SHA, minor, or patch version are not affected by the backport and will need to upgrade using Dependabot or through established upgrade processes.

This is a meaningful departure from GitHub’s historical approach. Rather than waiting for every repository to migrate to v7, the platform is pushing the security fix down to existing major versions. If you are pinned to a SHA for reproducibility which is supply chain best practice you will need to take action manually.

The Real-World Damage This Could Have Prevented

Open source repositories have recently come under sustained attacks from the TeamPCP hacking group, using a variety of techniques including pwn requests. The most severe examples weaponized this exact pull_request_target behavior.

Mini Shai-Hulud: 170+ npm Packages Compromised

In May 2026, TeamPCP’s Mini Shai-Hulud attack compromised foundational packages including TanStack, UiPath, Mistral AI, and OpenSearch. The attack cascaded across 170+ npm and PyPI packages with over 518 million cumulative monthly downloads. The attackers extracted OIDC tokens directly from CI/CD runner memory and published malicious packages that carried valid SLSA Build Level 3 provenance attestations proving that supply chain signatures are useless if the CI runner itself is poisoned.

Megalodon: 5,500+ Repositories Breached

Weeks later, the Megalodon campaign pushed 5,718 malicious commits to 5,561 distinct GitHub repositories in a six-hour window. The attackers injected Base64-encoded bash payloads directly into GitHub Actions workflow files, forging commit authors to look like routine CI maintenance. The payload explicitly hunted for GitHub Actions OIDC request URLs, allowing attackers to mint tokens and impersonate CI/CD pipelines in AWS, GCP, or Azure.

The Broader Pattern

These campaigns fit a broader pattern that has dominated the supply chain crisis: steal developer credentials, poison trusted packages, use poisoned packages to steal more credentials. The common thread is implicit trust organizations trusted a GitHub Action because of its version number, or a workflow because it was in their repository. GitHub’s actions/checkout v7 fix directly targets one of the most abused entry points in this cycle.

A separate incident not involving a pwn request also saw GitHub itself breached, with attackers exfiltrating source code from around 3,800 of the company’s internal repositories. Better late than never, GitHub has sprung into action, plotting a series of security reforms including, earlier in June, limiting automatic install script execution in npm.

What This Fix Does Not Cover

The protection in this update only covers checkouts performed through actions/checkout. That makes this a guardrail, not a complete solution for Actions security. Several attack paths remain open.

Other Event Types

Pwn requests triggered via other event types besides pull_request_target for example, issue_comment are out of scope. An attacker can still craft workflows that execute untrusted code in privileged contexts through alternative triggers that accept user-controlled input.

Git and GitHub CLI Checkouts

The fix does not block checkouts performed through git directly or the GitHub CLI. A workflow that runs git checkout or uses the GitHub CLI to fetch fork code inside a privileged event remains vulnerable to the same pwn request pattern.

Unrelated Third-Party Repositories

The change only blocks checkouts of the fork pull request head and merge commits. It does not block checkouts of other untrusted repositories. For example, setting repository: to an unrelated third-party repository is not blocked. Checking out and executing any untrusted code in a privileged event remains a pwn request risk that should be reviewed.

Workflows With Elevated Permissions

Workflows that run with secrets, write permissions, deployment permissions, or OIDC publishing access still need careful review. The actions/checkout fix prevents one specific attack vector, but privileged workflows remain high-value targets for any technique that can achieve code execution whether through dependency confusion, typosquatting, or compromised maintainer accounts.

Practical Remediation Steps

If you maintain GitHub repositories with Actions workflows, here is what to do.

Step 1: Audit Your pull_request_target Usage

Search your .github/workflows/ directory for pull_request_target triggers. For each one, ask: does this workflow actually need elevated permissions? If it only labels, comments, or applies project metadata, pull_request_target is appropriate. If it builds, tests, or runs code from the pull request, switch to pull_request and accept the restrictions on secrets access.

Step 2: Upgrade to actions/checkout v7 or Accept the Backport

If you pin to a floating major tag (actions/checkout@v4), the fix arrives automatically on July 16, 2026. If you pin to a specific SHA which is best practice for supply chain integrity update your pin to a v7 SHA using Dependabot or your established upgrade process.

Step 3: Restrict Workflow Permissions

Apply least privilege to your workflows. Set permissions explicitly at the workflow and job level. Do not rely on the default GITHUB_TOKEN permissions, which may include write access to your repository. A workflow that only needs to read content should not have write permissions.

Step 4: Never Execute Untrusted Code in Privileged Contexts

The fundamental rule: if a workflow runs with secrets or elevated permissions, it must never execute code from an untrusted source whether that is a fork pull request, a third-party repository, or a user-controlled script path. The actions/checkout v7 fix enforces this for one specific pattern, but the principle applies universally.

Conclusion

GitHub’s actions/checkout v7 fix is a meaningful step toward secure-by-default supply chain infrastructure. By blocking the most common pwn request pattern at the platform level, GitHub has closed an attack vector that fueled some of the most damaging supply chain campaigns of the past year. The backport to all supported major versions ensures the fix reaches repositories that would otherwise never upgrade.

But this is a guardrail, not a wall. Pwn requests can still happen through other event types, through direct git checkouts, and through the execution of untrusted code from unrelated third-party repositories. The broader supply chain crisis dependency confusion, typosquatting, compromised maintainer accounts, and OIDC token theft remains as active as ever. Teams that want to be secure need to defend their software supply chain with layered controls, not rely on any single platform fix.

The era of “secure by default” is starting. It is just starting years later than it should have.

To discuss supply chain security hardening for your CI/CD pipelines, contact me on LinkedIn or by email.

Frequently Asked Questions (FAQ)

What is a pwn request attack in GitHub Actions?

A pwn request attack occurs when a workflow triggered by pull_request_target checks out and executes code from an untrusted fork. Because pull_request_target runs with the base repository's GITHUB_TOKEN and secrets, the attacker's code executes with full privileges, allowing token theft and repository compromise.

What does actions/checkout v7 change?

actions/checkout v7 automatically refuses to fetch fork pull request code inside pull_request_target and workflow_run workflows. The only way to bypass this protection is to explicitly set allow-unsafe-pr-checkout to true, forcing teams to make a deliberate choice to accept the risk.

Will my existing workflows break after the July 16 backport?

If your workflows use pull_request_target with actions/checkout to fetch fork code and rely on a floating major tag like @v4, they will fail after July 16, 2026. You either need to switch to the pull_request trigger, remove the fork checkout, or explicitly opt in with allow-unsafe-pr-checkout.

Does this fix protect against all supply chain attacks on GitHub Actions?

No. The fix only covers checkouts performed through actions/checkout in pull_request_target and workflow_run events. Pwn requests via other event types like issue_comment, through git or the GitHub CLI, or via unrelated third-party repositories remain exploitable.

How does this relate to the TeamPCP supply chain attacks?

TeamPCP weaponized the pwn request pattern in the Mini Shai-Hulud attack that compromised 170+ npm packages including TanStack, and in the Megalodon campaign that hit 5,500+ GitHub repositories. The actions/checkout v7 fix directly targets the attack vector used in those campaigns.

Should I pin actions/checkout to a SHA or a major version tag?

SHA pinning is supply chain best practice for reproducibility and integrity. However, SHA-pinned workflows will not automatically receive the July 16 backport and need a manual upgrade. Use Dependabot to keep SHA pins updated while maintaining security.

Relevant Resources

William OGOU

William OGOU

Need help implementing Zero Trust strategy or securing your cloud infrastructure? I help organizations build resilient, compliance-ready security architectures.

Connect on LinkedIn