GitHub has released version 7 of its widely-used `actions/checkout` action, introducing a critical security change: the action now refuses to check out fork pull request code by default when the workflow is triggered by `pull_request_target` or `workflow_run`. These triggers run with the base repository's `GITHUB_TOKEN`, secrets, and runner access, where executing a fork's code commonly leads to "pwn request" vulnerabilities. Users who have reviewed the risks can opt in by setting the new `allow-unsafe-pr-checkout: true` input.
Security and credential improvements
The update also improves credential security. Previously, `persist-credentials` stored credentials directly in `.git/config`; now they are stored in a separate file under `$RUNNER_TEMP`. This change does not require any workflow modifications—git fetch, git push, and other authenticated commands continue to work automatically. However, running authenticated git commands from a Docker container action now requires Actions Runner v2.329.0 or later.
Migration to ESM and updated dependencies
`actions/checkout` has been migrated to ESM to support new versions of the `@actions/*` packages. Direct and transitive dependencies have been updated, including security fixes for known vulnerabilities. The action now runs on the node24 runtime, which requires a minimum Actions Runner version of v2.327.1.
Usage and configuration
The action checks out your repository under `$GITHUB_WORKSPACE` so your workflow can access it. By default, only a single commit is fetched for the ref/SHA that triggered the workflow. Set `fetch-depth: 0` to fetch all history for all branches and tags. The auth token is persisted in the local git config and removed during post-job cleanup; set `persist-credentials: false` to opt out. When Git 2.18 or higher is not in your PATH, the action falls back to the REST API to download files.
Contribution status
GitHub is not currently accepting contributions to this repository. The team is focusing resources on strategic areas that help customers be successful while improving developers' lives. Questions and support requests should be directed to GitHub Community Discussions. High-priority bugs can be reported through Community Discussions or via GitHub's support team. Security issues should be handled as per the project's security.md. GitHub will continue to provide security updates and fix major breaking changes during this time.