The pull_request_target and workflow_run triggers execute GitHub Actions workflows using the target repository’s credentials, including its secrets and write permissions. When the workflow then executes any part of that checked-out code — directly or indirectly through build scripts, configuration files, or package manifests — an attacker controlling the fork gains arbitrary code execution with the host repository’s full privileges.

Why is this an issue?

The pull_request_target and workflow_run triggers run with the host repository’s credentials, including its secrets and any write permissions granted to the GITHUB_TOKEN. When such a workflow checks out code from a fork — and that code is executed directly, or can affect execution indirectly (for example through build scripts or downloaded package lists) — an attacker controlling the fork can run arbitrary code with the host repository’s full privileges. Special considerations apply to organizations and repositories created before 2023, when the default permissions of the GITHUB_TOKEN were changed to read-only.

What is the potential impact?

Secret extraction

If the workflow has access to repository secrets, malicious fork code can exfiltrate them — including deployment tokens, API keys, or cloud credentials — to an attacker-controlled server.

Repository manipulation

With write access available through the GITHUB_TOKEN, an attacker can push malicious commits, tamper with releases, or alter workflow files to establish a persistent foothold in the repository.

How to fix it

If the workflow does not require write access to the repository or access to its secrets, the recommended approach is to use the pull_request trigger instead of pull_request_target or workflow_run.

If this is not feasible, the workflow can be split into two parts:

• An unprivileged job triggered by pull_request that performs checks not requiring elevated permissions.
• A privileged job triggered by workflow_run on completion of the first job, that performs the actions requiring elevated permissions.

When doing this, it is important to ensure that the privileged workflow does not process input from the untrusted workflow.

Code examples

Noncompliant code example

The following workflow executes the build.sh script from the fork using the privileges of the repository:

name: Example

on:
  pull_request_target:

jobs:
  main:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}  # Noncompliant

      - name: Build
        run: |
          ./build.sh

Compliant solution

If elevated permissions are not needed, the simplest fix is to use pull_request as the trigger.

name: Example

on:
  pull_request:

jobs:
  main:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}

      - name: Build
        run: |
          ./build.sh

Resources

Documentation

• GitHub Security Lab - Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

Articles & blog posts

• GitHub Blog - GitHub Actions – Updating the default GITHUB_TOKEN permissions to read-only
• GitHub Security Lab - GHSL-2024-268: Poisoned Pipeline Execution (PPE) via execution of untrusted checked-out code in Hibernate ORM
• Open Source Security Foundation - Mitigating Attack Vectors in GitHub Workflows

Standards

• OWASP - Top 10 2021 Category A1 - Broken Access Control
• OWASP - Top 10 2017 Category A5 - Broken Access Control
• OWASP - Top 10 2017 Category A3 - Sensitive Data Exposure
• CWE - CWE-732 - Incorrect Permission Assignment for Critical Resource
• CWE - CWE-272 - Least Privilege Violation
• CWE - CWE-279 - Incorrect Execution-assigned Privileges
• STIG Viewer - Application Security and Development: V-222429 - The application must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures