File tree Expand file tree Collapse file tree 1 file changed +9
-4
lines changed Expand file tree Collapse file tree 1 file changed +9
-4
lines changed Original file line number Diff line number Diff line change @@ -33,10 +33,15 @@ runs:
3333 uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
3434 with :
3535 token : ${{ inputs.github_token }}
36- # For pull_request_target: checkout the actual PR code, not the base branch
37- ref : ${{ github.event.pull_request.head.sha || github.sha }}
38- # Support forks by using the head repository when available
39- repository : ${{ github.event.pull_request.head.repo.full_name || github.repository }}
36+ # In pull_request_target, use the base repo's synthetic merge ref to avoid cross-repo clones
37+ # and to prevent running fork code with elevated credentials. Otherwise, fall back to sha.
38+ ref : ${{ (github.event_name == 'pull_request_target' && format('refs/pull/{0}/merge', github.event.number)) || github.event.pull_request.head.sha || github.sha }}
39+ # Always clone from the base repository to avoid permission issues with forks
40+ repository : ${{ github.repository }}
41+ # Do not persist credentials into the repo's local config (reduces risk of token exfiltration)
42+ persist-credentials : false
43+ # Faster, smaller checkout
44+ fetch-depth : 1
4045
4146 - name : Aqua Cache
4247 uses : actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
You can’t perform that action at this time.
0 commit comments