Copy
Trading Bots
Events
More

GitHub Actions checkout v7: safer fork PR handling

2026/07/11 20:50Browse 0

GitHub has released version 7 of its widely-used `actions/checkout` action, introducing a critical security change: the action now refuses to check out fork pull request code by default when the workflow is triggered by `pull_request_target` or `workflow_run`. These triggers run with the base repository's `GITHUB_TOKEN`, secrets, and runner access, where executing a fork's code commonly leads to "pwn request" vulnerabilities. Users who have reviewed the risks can opt in by setting the new `allow-unsafe-pr-checkout: true` input.

Security and credential improvements

The update also improves credential security. Previously, `persist-credentials` stored credentials directly in `.git/config`; now they are stored in a separate file under `$RUNNER_TEMP`. This change does not require any workflow modifications—git fetch, git push, and other authenticated commands continue to work automatically. However, running authenticated git commands from a Docker container action now requires Actions Runner v2.329.0 or later.

Migration to ESM and updated dependencies

`actions/checkout` has been migrated to ESM to support new versions of the `@actions/*` packages. Direct and transitive dependencies have been updated, including security fixes for known vulnerabilities. The action now runs on the node24 runtime, which requires a minimum Actions Runner version of v2.327.1.

Usage and configuration

The action checks out your repository under `$GITHUB_WORKSPACE` so your workflow can access it. By default, only a single commit is fetched for the ref/SHA that triggered the workflow. Set `fetch-depth: 0` to fetch all history for all branches and tags. The auth token is persisted in the local git config and removed during post-job cleanup; set `persist-credentials: false` to opt out. When Git 2.18 or higher is not in your PATH, the action falls back to the REST API to download files.

Contribution status

GitHub is not currently accepting contributions to this repository. The team is focusing resources on strategic areas that help customers be successful while improving developers' lives. Questions and support requests should be directed to GitHub Community Discussions. High-priority bugs can be reported through Community Discussions or via GitHub's support team. Security issues should be handled as per the project's security.md. GitHub will continue to provide security updates and fix major breaking changes during this time.

Disclaimer: This page may contain third-party information and does not necessarily reflect BYDFi's views or opinions. This content is for general reference only and does not constitute any representation, warranty, financial advice, or investment advice. BYDFi is not responsible for any errors, omissions, or any results arising from the use of such information. Virtual asset investments involve risks. Please carefully evaluate the risks of the product and your risk tolerance based on your financial situation. For more information, please refer to our Terms of Use and Risk Disclosure.