When configuring GitHub Actions workflows, pay special attention to the checkout action's configuration to ensure both correctness and security: 1. In `pull_request_target` workflows, always specify the reference explicitly to ensure you're working with the intended branch:
When configuring GitHub Actions workflows, pay special attention to the checkout action’s configuration to ensure both correctness and security:
pull_request_target workflows, always specify the reference explicitly to ensure you’re working with the intended branch:- name: Checkout code
uses: actions/checkout@v4
with:
ref: $
- name: Checkout specific files
uses: actions/checkout@v4
with:
sparse-checkout: |
.changes/
.changie.yaml
This practice helps protect against security risks when workflows might have elevated permissions, particularly when running on code from external contributors. Sparse checkouts also improve performance by reducing the amount of data transferred.
Enter the URL of a public GitHub repository