What is the security risk of using `actions/checkout` with a PR’s head SHA versus the merge SHA in `pull_request_target` workflows?

Github Hard

Github — Hard

What is the security risk of using `actions/checkout` with a PR’s head SHA versus the merge SHA in `pull_request_target` workflows?

Key points

  • Checking out the head SHA executes untrusted code
  • Merge SHA ensures a trusted codebase
  • Separate jobs are necessary for attacker code
  • Repository secrets are exposed with head SHA
  • Write permissions are vulnerable with head SHA

Ready to go further?

Start full exam Practice more questions

Related questions