build(deps): bump actions/cache from 5 to 6#601
Conversation
dependabot
Bot
added
dependencies
|
Hi @dependabot[bot]. Thanks for your PR. I'm waiting for a codeready-toolchain member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (2)
🔗 Linked repositories identifiedCodeRabbit considers these linked repositories for cross-repo context during reviews:
📜 Recent review details⏰ Context from checks skipped due to timeout. (4)
🧰 Additional context used🪛 zizmor (1.26.1).github/workflows/operator-cd.yml[error] 29-29: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) [error] 29-29: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default (cache-poisoning) .github/workflows/publish-components-for-e2e-tests.yml[error] 56-56: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) [error] 61-61: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🔀 Multi-repo context codeready-toolchain/host-operator, codeready-toolchain/toolchain-e2e, codeready-toolchain/api, codeready-toolchain/toolchain-commonLinked repositories findings[::codeready-toolchain/host-operator::] Inspected ref
This means the same cache-action bump is already present on that PR branch. [::codeready-toolchain/toolchain-e2e::] Inspected ref
[::codeready-toolchain/api::] No [::codeready-toolchain/toolchain-common::] No 🛑 Comments failed to post (1)
🔇 Additional comments (2)
WalkthroughTwo GitHub Actions workflow files update the Go dependency cache step from ChangesCI Cache Action Bump
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/publish-components-for-e2e-tests.yml (1)
58-64: 🔒 Security & Privacy | 🟠 MajorAvoid cache writes on this untrusted workflow path.
This runs on
pull_request_targetandissue_comment, checks out PR head code, andactions/cache@v6can save cache contents from that untrusted context. Use restore-only here, or gate any save step to a trusted workflow.Safer pattern
- - name: Cache dependencies - uses: actions/cache@v6 + - name: Restore dependencies cache + uses: actions/cache/restore@v4 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles ('**/go.sum') }} restore-keys: | ${{ runner.os }}-go-🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/publish-components-for-e2e-tests.yml around lines 58 - 64, The dependency caching step in the publish-components-for-e2e-tests workflow is running in an untrusted pull_request_target/issue_comment context and should not be allowed to write cache data. Update the existing Cache dependencies step that uses actions/cache@v6 so it only restores cache state or otherwise prevents saving from this workflow, and if caching must be saved then move that write path behind a trusted job or workflow. Keep the fix localized to the cache step in the workflow so the untrusted checkout cannot persist cache contents.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/operator-cd.yml:
- Line 29: The cache action is still referenced by a moving tag, so update the
actions/cache usage in both workflow jobs to the immutable SHA instead of
actions/cache@v6. Replace the existing cache step in operator-cd and the
corresponding cache step in publish-components-for-e2e-tests with the pinned
actions/cache revision so both workflows are locked to the same commit.
In @.github/workflows/publish-components-for-e2e-tests.yml:
- Line 59: The workflow is using a mutable actions/cache tag, so pin the cache
action to a full commit SHA instead of v6. Update the uses reference in this
workflow’s cache step, and make the same SHA-based pinning change in the
operator-cd workflow cache step as well so both references are fixed and
consistent.
---
Outside diff comments:
In @.github/workflows/publish-components-for-e2e-tests.yml:
- Around line 58-64: The dependency caching step in the
publish-components-for-e2e-tests workflow is running in an untrusted
pull_request_target/issue_comment context and should not be allowed to write
cache data. Update the existing Cache dependencies step that uses
actions/cache@v6 so it only restores cache state or otherwise prevents saving
from this workflow, and if caching must be saved then move that write path
behind a trusted job or workflow. Keep the fix localized to the cache step in
the workflow so the untrusted checkout cannot persist cache contents.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: 0613444b-252c-44ff-a796-f651095209a4
📒 Files selected for processing (2)
.github/workflows/operator-cd.yml.github/workflows/publish-components-for-e2e-tests.yml
🔗 Linked repositories identified
CodeRabbit considers these linked repositories for cross-repo context during reviews:
codeready-toolchain/api(manual)codeready-toolchain/toolchain-common(manual)codeready-toolchain/host-operator(manual)codeready-toolchain/toolchain-e2e(manual)
📜 Review details
⏰ Context from checks skipped due to timeout. (1)
- GitHub Check: Build & push operator bundles & dashboard image for e2e tests
🧰 Additional context used
🪛 zizmor (1.26.1)
.github/workflows/operator-cd.yml
[error] 29-29: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 29-29: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default
(cache-poisoning)
.github/workflows/publish-components-for-e2e-tests.yml
[error] 59-59: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🔀 Multi-repo context codeready-toolchain/host-operator, codeready-toolchain/toolchain-e2e, codeready-toolchain/api, codeready-toolchain/toolchain-common
Relevant cross-repo context
[::codeready-toolchain/host-operator::] .github/workflows/operator-cd.yml:29 and .github/workflows/publish-components-for-e2e-tests.yml:59 both still use actions/cache@v5, so this repo has the same cache action dependency as the PR and would likely need the same bump for consistency.
[::codeready-toolchain/toolchain-e2e::] .github/workflows/publish-components-for-e2e-tests.yml:61 still uses actions/cache@v5, so the cache-action version change also appears in the e2e repo’s workflow.
[::codeready-toolchain/api::] No actions/cache references found in the searched workflow files.
[::codeready-toolchain/toolchain-common::] No actions/cache references found in the searched workflow files.
|
|
||
| - name: Cache dependencies | ||
| uses: actions/cache@v5 | ||
| uses: actions/cache@v6 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Resolve the commit currently referenced by actions/cache tag v6
gh api repos/actions/cache/git/ref/tags/v6 --jq '.object.sha'Repository: codeready-toolchain/registration-service
Length of output: 219
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Show the relevant workflow context and any other actions/cache usages in this repo.
rg -n --hidden --glob '.github/workflows/*.yml' 'actions/cache@' .github/workflows || true
sed -n '1,80p' .github/workflows/operator-cd.ymlRepository: codeready-toolchain/registration-service
Length of output: 1349
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect whether this repo uses pinned SHAs for other GitHub Actions in workflows.
rg -n --hidden --glob '.github/workflows/*.yml' 'uses:\s+[^@]+@[0-9a-f]{40}' .github/workflows || trueRepository: codeready-toolchain/registration-service
Length of output: 418
Pin actions/cache to an immutable SHA in both workflows.
Replace actions/cache@v6 with actions/cache@2c8a9bd7457de244a408f35966fab2fb45fda9c8 in .github/workflows/operator-cd.yml:29 and .github/workflows/publish-components-for-e2e-tests.yml:59.
Suggested change
- uses: actions/cache@v6
+ uses: actions/cache@2c8a9bd7457de244a408f35966fab2fb45fda9c8📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| uses: actions/cache@v6 | |
| uses: actions/cache@2c8a9bd7457de244a408f35966fab2fb45fda9c8 |
🧰 Tools
🪛 zizmor (1.26.1)
[error] 29-29: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 29-29: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default
(cache-poisoning)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/operator-cd.yml at line 29, The cache action is still
referenced by a moving tag, so update the actions/cache usage in both workflow
jobs to the immutable SHA instead of actions/cache@v6. Replace the existing
cache step in operator-cd and the corresponding cache step in
publish-components-for-e2e-tests with the pinned actions/cache revision so both
workflows are locked to the same commit.
Source: Linters/SAST tools
|
|
||
| - name: Cache dependencies | ||
| uses: actions/cache@v5 | ||
| uses: actions/cache@v6 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n== workflow excerpt ==\n'
nl -ba .github/workflows/publish-components-for-e2e-tests.yml | sed -n '50,70p'
printf '\n== actions/cache references in repo ==\n'
rg -n "uses:\s*actions/cache@" .github/workflows || true
printf '\n== other action refs in this workflow ==\n'
rg -n "uses:\s*[^#]+" .github/workflows/publish-components-for-e2e-tests.yml || trueRepository: codeready-toolchain/registration-service
Length of output: 242
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n== workflow excerpt ==\n'
nl -ba .github/workflows/publish-components-for-e2e-tests.yml | sed -n '50,70p'
printf '\n== actions/cache references in repo ==\n'
rg -n "uses:\s*actions/cache@" .github/workflows || true
printf '\n== other action refs in this workflow ==\n'
rg -n "uses:\s*[^#]+" .github/workflows/publish-components-for-e2e-tests.yml || trueRepository: codeready-toolchain/registration-service
Length of output: 242
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n== workflow excerpt ==\n'
nl -ba .github/workflows/publish-components-for-e2e-tests.yml | sed -n '50,70p'
printf '\n== actions/cache references in repo ==\n'
rg -n "uses:\s*actions/cache@" .github/workflows || true
printf '\n== other action refs in this workflow ==\n'
rg -n "uses:\s*[^#]+" .github/workflows/publish-components-for-e2e-tests.yml || trueRepository: codeready-toolchain/registration-service
Length of output: 242
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n== workflow excerpt ==\n'
awk 'NR>=50 && NR<=70 { printf "%d:%s\n", NR, $0 }' .github/workflows/publish-components-for-e2e-tests.yml
printf '\n== actions/cache references in repo ==\n'
rg -n "uses:\s*actions/cache@" .github/workflows || true
printf '\n== uses lines in target workflow ==\n'
rg -n "uses:\s*" .github/workflows/publish-components-for-e2e-tests.yml || trueRepository: codeready-toolchain/registration-service
Length of output: 1713
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n== workflow excerpt ==\n'
awk 'NR>=50 && NR<=70 { printf "%d:%s\n", NR, $0 }' .github/workflows/publish-components-for-e2e-tests.yml
printf '\n== actions/cache references in repo ==\n'
rg -n "uses:\s*actions/cache@" .github/workflows || true
printf '\n== uses lines in target workflow ==\n'
rg -n "uses:\s*" .github/workflows/publish-components-for-e2e-tests.yml || trueRepository: codeready-toolchain/registration-service
Length of output: 1713
Pin actions/cache to a commit SHA
uses: actions/cache@v6 is a mutable tag; pin it to a full commit SHA here and in .github/workflows/operator-cd.yml:29.
Suggested change
- uses: actions/cache@v6
+ uses: actions/cache@<full-length-commit-sha> # v6🧰 Tools
🪛 zizmor (1.26.1)
[error] 59-59: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/publish-components-for-e2e-tests.yml at line 59, The
workflow is using a mutable actions/cache tag, so pin the cache action to a full
commit SHA instead of v6. Update the uses reference in this workflow’s cache
step, and make the same SHA-based pinning change in the operator-cd workflow
cache step as well so both references are fixed and consistent.
Source: Linters/SAST tools
Bumps [actions/cache](https://github.com/actions/cache) from 5 to 6. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@v5...v6) --- updated-dependencies: - dependency-name: actions/cache dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/cache-6
branch
from
070f23c to
f99a627
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/publish-components-for-e2e-tests.yml:
- Line 31: Remove the unsafe PR checkout setting from both checkout steps in the
publish-components-for-e2e-tests workflow. The issue is that the workflow uses
privileged pull_request_target and issue_comment paths, so allowing untrusted PR
code to be checked out can reintroduce the pwn-request risk. Update the checkout
configuration to use the default safe behavior in both places, and keep the
build/publish job from consuming untrusted code in a privileged context.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: 5b5d8072-98b4-43a4-9b40-966589a2c348
📒 Files selected for processing (2)
.github/workflows/operator-cd.yml.github/workflows/publish-components-for-e2e-tests.yml
🔗 Linked repositories identified
CodeRabbit considers these linked repositories for cross-repo context during reviews:
codeready-toolchain/api(manual)codeready-toolchain/toolchain-common(manual)codeready-toolchain/host-operator(manual) → reviewed against open PR#1271dependabot/github_actions/actions/cache-6instead of the default branchcodeready-toolchain/toolchain-e2e(manual) → reviewed against open PR#1289dependabot/github_actions/actions/cache-6instead of the default branch
📜 Review details
⏰ Context from checks skipped due to timeout. (4)
- GitHub Check: Generate SBOM
- GitHub Check: Build & push operator bundles & dashboard image for e2e tests
- GitHub Check: test
- GitHub Check: govulncheck
🧰 Additional context used
🪛 zizmor (1.26.1)
.github/workflows/operator-cd.yml
[error] 29-29: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 29-29: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default
(cache-poisoning)
.github/workflows/publish-components-for-e2e-tests.yml
[error] 56-56: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 61-61: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🔀 Multi-repo context codeready-toolchain/host-operator, codeready-toolchain/toolchain-e2e, codeready-toolchain/api, codeready-toolchain/toolchain-common
Linked repositories findings
[::codeready-toolchain/host-operator::] Inspected ref 574a3b6 (branch of open PR #1271). Both workflows already use actions/cache@v6:
.github/workflows/operator-cd.yml:29.github/workflows/publish-components-for-e2e-tests.yml:59
This means the same cache-action bump is already present on that PR branch.
[::codeready-toolchain/toolchain-e2e::] Inspected ref de84f17 (branch of open PR #1289). The workflow already uses actions/cache@v6:
.github/workflows/publish-components-for-e2e-tests.yml:61
[::codeready-toolchain/api::] No actions/cache@v5/v6 references found in .github/workflows.
[::codeready-toolchain/toolchain-common::] No actions/cache@v5/v6 references found in .github/workflows.
🔇 Additional comments (2)
.github/workflows/operator-cd.yml (1)
29-29: 🔒 Security & Privacy | ⚡ Quick winStill needs an immutable SHA pin.
This is the same
actions/cachepinning issue already called out in the previous review;@v6is still a moving reference here.Source: Linters/SAST tools
.github/workflows/publish-components-for-e2e-tests.yml (1)
61-61: 🔒 Security & Privacy | ⚡ Quick winStill needs an immutable SHA pin.
This is the same
actions/cachepinning issue already called out earlier;@v6is still a mutable tag in this workflow.Source: Linters/SAST tools
There was a problem hiding this comment.
Caution
Inline review comments failed to post. This is likely due to GitHub's internal server error or limits when posting large numbers of comments. If you are seeing this consistently it is likely a permissions issue. Please check "Moderation" -> "Code review limits" under your organization settings.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/publish-components-for-e2e-tests.yml:
- Line 31: Remove the unsafe PR checkout setting from both checkout steps in the
publish-components-for-e2e-tests workflow. The issue is that the workflow uses
privileged pull_request_target and issue_comment paths, so allowing untrusted PR
code to be checked out can reintroduce the pwn-request risk. Update the checkout
configuration to use the default safe behavior in both places, and keep the
build/publish job from consuming untrusted code in a privileged context.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: 5b5d8072-98b4-43a4-9b40-966589a2c348
📒 Files selected for processing (2)
.github/workflows/operator-cd.yml.github/workflows/publish-components-for-e2e-tests.yml
🔗 Linked repositories identified
CodeRabbit considers these linked repositories for cross-repo context during reviews:
codeready-toolchain/api(manual)codeready-toolchain/toolchain-common(manual)codeready-toolchain/host-operator(manual) → reviewed against open PR#1271dependabot/github_actions/actions/cache-6instead of the default branchcodeready-toolchain/toolchain-e2e(manual) → reviewed against open PR#1289dependabot/github_actions/actions/cache-6instead of the default branch
📜 Review details
🔇 Additional comments (2)
.github/workflows/operator-cd.yml (1)
29-29: 🔒 Security & Privacy | ⚡ Quick winStill needs an immutable SHA pin.
This is the same
actions/cachepinning issue already called out in the previous review;@v6is still a moving reference here.Source: Linters/SAST tools
.github/workflows/publish-components-for-e2e-tests.yml (1)
61-61: 🔒 Security & Privacy | ⚡ Quick winStill needs an immutable SHA pin.
This is the same
actions/cachepinning issue already called out earlier;@v6is still a mutable tag in this workflow.Source: Linters/SAST tools
🛑 Comments failed to post (1)
.github/workflows/publish-components-for-e2e-tests.yml (1)
31-31: 🔒 Security & Privacy | 🔴 Critical
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash set -euo pipefail # Map the workflow first, then inspect the relevant sections with line numbers. git ls-files .github/workflows echo '---' cat -n .github/workflows/publish-components-for-e2e-tests.yml | sed -n '1,220p'Repository: codeready-toolchain/registration-service
Length of output: 5082
🌐 Web query:
GitHub actions/checkout allow-unsafe-pr-checkout pull_request_target security documentation💡 Result:
The
allow-unsafe-pr-checkoutinput inactions/checkout(v7 and later) is an explicit opt-in mechanism designed to allow the checkout of code from fork pull requests in privileged workflow contexts [1][2][3]. Security Context and Purpose: - Background: Workflows triggered bypull_request_targetorworkflow_run(when triggered by a pull request) operate with the base repository's secrets,GITHUB_TOKEN, and runner access [2][3][4]. Checking out and executing code from an unreviewed fork in this context is a common source of "pwn request" vulnerabilities, where an attacker executes arbitrary code with the repository's elevated privileges [1][5][4]. - New Protection: As of June 2026,actions/checkoutv7 enforces a default security policy that refuses to check out fork pull request code in these privileged events [1][6][4]. - Use ofallow-unsafe-pr-checkout: This input acts as an escape hatch [6][4]. Settingallow-unsafe-pr-checkout: truedisables the protection [7][1]. It is intentionally named to be highly visible during code reviews and static analysis to ensure developers treat the decision as a deliberate security risk [7][1][2]. Recommendations: - Do not use this flag unless absolutely necessary [7]. - Before enabling, review the GitHub security guidance forpull_request_target[7][1]. - Ensure that any code checked out from a fork in these contexts is never executed [7]. The protection only blocks checkouts of the fork's pull request head and merge commits; other forms of untrusted code execution (such as manualgitcommands or downloading artifacts) are not covered by this specific action check [7][1].Citations:
- 1: https://github.blog/changelog/2026-06-18-safer-pull_request_target-defaults-for-github-actions-checkout/
- 2: https://github.com/actions/checkout
- 3: https://github.com/actions/checkout/blob/main/README.md
- 4: https://www.csoonline.com/article/4188144/github-actions-hardens-checkout-security-to-block-pwn-request-attacks-2.html
- 5: https://codeql.github.com/codeql-query-help/actions/actions-untrusted-checkout-critical/
- 6: actions/checkout#2454
- 7: https://docs.github.com/en/actions/reference/security/securely-using-pull_request_target
🌐 Web query:
GitHub actions/checkout allow-unsafe-pr-checkout pull_request_target security documentation💡 Result:
As of June 2026, the actions/checkout action (v7 and later) includes built-in protections to prevent the accidental execution of untrusted fork code in privileged GitHub Actions contexts [1][2]. The
allow-unsafe-pr-checkoutinput is an opt-in flag designed to explicitly override these protections [1][2][3]. Key Security Context: 1. Privileged Contexts: Workflows triggered by pull_request_target or workflow_run (where the source event is a pull_request*) run with the base repository's GITHUB_TOKEN, secrets, and environment access [1][2][3]. 2. The Risk: If a workflow in this context checks out code from a fork (untrusted user input), it can lead to "pwn request" vulnerabilities, where malicious code from the pull request is executed with the repository's elevated permissions [1][2][4][5]. 3. The Protection: To mitigate this, actions/checkout now refuses to check out fork pull request code in these specific privileged events by default [1][2]. Using allow-unsafe-pr-checkout: - Purpose: It allows a workflow to bypass the default safety check to fetch fork pull request code [1][3]. - Best Practice: You should only set this to true if you have confirmed that the checked-out code is never executed (e.g., used only for static analysis or reporting) [6][1]. - Security Intent: The input name was specifically chosen to be descriptive and easy to identify during code reviews and static analysis, signaling that a security boundary is being intentionally crossed [6][1]. Before opting in, GitHub strongly recommends reviewing the guidance on securely using pull_request_target [6][1][2]. Top Results: [6] https://docs.github.com/en/actions/reference/security/securely-using-pull_request_target [1] https://github.blog/changelog/2026-06-18-safer-pull_request_target-defaults-for-github-actions-checkout/ [2] https://github.com/actions/checkout/blob/main/README.md [3] actions/checkout#2454 [4] https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ [5] https://codeql.github.com/codeql-query-help/actions/actions-untrusted-checkout-critical/Citations:
- 1: https://github.blog/changelog/2026-06-18-safer-pull_request_target-defaults-for-github-actions-checkout/
- 2: https://github.com/actions/checkout/blob/main/README.md
- 3: actions/checkout#2454
- 4: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
- 5: https://codeql.github.com/codeql-query-help/actions/actions-untrusted-checkout-critical/
- 6: https://docs.github.com/en/actions/reference/security/securely-using-pull_request_target
🌐 Web query:
GitHub actions/checkout allow-unsafe-pr-checkout pull_request_target security documentation💡 Result:
As of June 2026, actions/checkout version 7 and later includes enhanced security protections to prevent "pwn request" vulnerabilities [1]. When a workflow is triggered by pull_request_target or certain workflow_run events (where the upstream event is a pull_request* event), actions/checkout will refuse to check out pull request code originating from a fork by default [1][2]. The allow-unsafe-pr-checkout input is an opt-in mechanism designed for workflows that explicitly require checking out fork pull request code within these privileged contexts [3][4]. Setting this input to true bypasses the default safety block [3]. Key Security Considerations: 1. Privileged Execution: Workflows using pull_request_target run with the base repository's GITHUB_TOKEN, secrets, and runner access [1][2]. Checking out and executing untrusted code from a fork in this environment can grant an attacker full access to these privileges [1]. 2. Intentional Naming: The input is named allow-unsafe-pr-checkout to be highly visible and easily identified during code reviews and static analysis [3][1]. 3. Recommended Practice: Before enabling this input, you must ensure that the checked-out code is never executed [3]. GitHub strongly recommends reviewing their security guidance on the pull_request_target event before opting out of this protection [3][2]. This protection specifically applies to fork pull request references [3]. It does not cover other methods of fetching untrusted code, such as using git fetch, gh pr checkout, or downloading and running arbitrary artifacts [3].
Citations:
- 1: https://github.blog/changelog/2026-06-18-safer-pull_request_target-defaults-for-github-actions-checkout/
- 2: https://github.com/actions/checkout/?tab=readme-ov-file
- 3: https://docs.github.com/en/actions/reference/security/securely-using-pull_request_target
- 4: actions/checkout#2454
Remove
allow-unsafe-pr-checkoutfrom both checkout steps. In this workflow, untrusted PR code is fetched in privilegedpull_request_target/issue_commentpaths and then fed into the build/publish job, which reintroduces the pwn-request risk GitHub warns about.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/publish-components-for-e2e-tests.yml at line 31, Remove the unsafe PR checkout setting from both checkout steps in the publish-components-for-e2e-tests workflow. The issue is that the workflow uses privileged pull_request_target and issue_comment paths, so allowing untrusted PR code to be checked out can reintroduce the pwn-request risk. Update the checkout configuration to use the default safe behavior in both places, and keep the build/publish job from consuming untrusted code in a privileged context.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dependabot[bot], rajivnathan The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
1 participant
Bumps actions/cache from 5 to 6.
Release notes
Sourced from actions/cache's releases.
... (truncated)
Changelog
Sourced from actions/cache's changelog.
... (truncated)
Commits
2c8a9bdMerge pull request #1760 from actions/samirat/esm_migration_and_package_updatee9b91fdPrettier fixese4884b8Rebuild dist10baf01Fixed licensese39b386Fix test mock return orderb692820PR feedback6074912Rebuild dist bundles as ESM to match type:module5a912e8Fix lint and jest issuesb9bf592Update documentation for v6 release80f7777Update packages, migrate to ESMSummary by CodeRabbit