Skip to content

Commit 2f765bc

Browse files
zakiskclaude
andcommitted
fix(ci): allow checkout of fork PR code in pull_request_target workflow
actions/checkout v7 now refuses to fetch fork pull request code in pull_request_target workflows by default to prevent pwn request attacks. Add allow-unsafe-pr-checkout: true to the e2e workflow checkout step that needs to build and test fork PR code with repository secrets. Signed-off-by: Zaki Shaikh <zashaikh@redhat.com> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent 6554d32 commit 2f765bc

1 file changed

Lines changed: 4 additions & 0 deletions

File tree

.github/workflows/e2e.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -126,10 +126,14 @@ jobs:
126126
TESTRR_BUILD_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
127127
TESTRR_RUN_LABEL: gha-e2e-${{ matrix.provider }}
128128
steps:
129+
# Safe: external contributor PRs do not run this workflow without
130+
# an explicit maintainer ok-to-test approval (see the permission
131+
# check step below).
129132
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
130133
with:
131134
ref: ${{ inputs.target_ref || github.event.pull_request.head.sha || github.sha }}
132135
persist-credentials: false
136+
allow-unsafe-pr-checkout: true
133137

134138
- name: Check user permissions on PRs
135139
if: github.event_name == 'pull_request_target'

0 commit comments

Comments
 (0)