Tag

#ci-security

Tagged “ci-security”

2 articles

actions/checkout v7 refuses fork PR code in pull_request_target

GitHub shipped actions/checkout v7, which fails by default when a workflow triggered by pull_request_target or workflow_run tries to fetch the head of a fork's pull request. Same-repo PRs and the standard pull_request event are unaffected; a deliberately conspicuous opt-out exists for teams who really mean it.

Invalid Date · Tomás Vega Security & supply chain

GitHub Actions hands platform teams a workflow-trigger allow list

GitHub Actions is rolling out workflow execution protections in public preview at the enterprise, organization, and repository levels, letting administrators define who and what can trigger workflows. It's the platform-owned trigger gate the CI/CD industry has been quietly working toward for years.

Jun 18, 2026 · Tomás Vega