saas · TheHackerNews
GitHub has updated the "actions/checkout" action to block common pwn request attack patterns in CI/CD workflows. Effective June 18, 2026, version 7 of actions/checkout refuses to fetch fork pull request code in pull_request_target and certain workflow_run workflows by default. The protection applies when a pull request originates from a fork and meets specific criteria (repository resolves to fork, ref matches pull request patterns, or ref resolves to fork commit SHA), unless workflow authors explicitly opt out via the "allow-unsafe-pr-checkout" flag. The change addresses a known vulnerability where pull_request_target workflows run with the base repository's GITHUB_TOKEN, secrets, and cache access; if checkout pulls code from an untrusted fork, attackers can execute malicious code with full workflow privileges and steal secrets. GitHub notes that recent supply chain attacks, including compromises of Nx, PostHog, TanStack, and kubernetes-el packages, exploited this behavior.
For Omniware's buyers—particularly SaaS teams and defense contractors managing software dependencies—this update directly mitigates a critical software supply chain risk. Organizations using GitHub Actions in CI/CD pipelines should verify their workflows do not rely on the blocked patterns or, if they must use pull_request_target, explicitly understand the security trade-offs. This change aligns with NIST 800-171 and SOC2 expectations around secure build processes and supply chain controls. However, GitHub emphasizes that this is a guardrail, not a complete solution; workflows with secrets, write permissions, or OIDC publishing access still require careful review. An Omniware engagement can scope your Actions workflows and CI/CD hygiene in detail.
Source: The Hacker News - https://thehackernews.com/2026/06/github-updates-actionscheckout-to-block.html
Source: TheHackerNews
All briefings