Secure checkout configurations

When configuring GitHub Actions workflows, pay special attention to the checkout action's configuration to ensure both correctness and security: 1. In `pull_request_target` workflows, always specify the reference explicitly to ensure you're working with the intended branch:

copy reviewer prompt

Prompt

Reviewer Prompt
Deploy Agent

When configuring GitHub Actions workflows, pay special attention to the checkout action’s configuration to ensure both correctness and security:

  1. In pull_request_target workflows, always specify the reference explicitly to ensure you’re working with the intended branch:
- name: Checkout code
  uses: actions/checkout@v4
  with:
    ref: $
  1. When your workflow only needs specific files or directories, use sparse-checkout to minimize unnecessary file access and improve security:
- name: Checkout specific files
  uses: actions/checkout@v4
  with:
    sparse-checkout: |
      .changes/
      .changie.yaml

This practice helps protect against security risks when workflows might have elevated permissions, particularly when running on code from external contributors. Sparse checkouts also improve performance by reducing the amount of data transferred.

Source discussions