What is GitHub’s `pull_request_target` event and why must it be used with extreme caution?

Question

Github — Hard

What is GitHub’s `pull_request_target` event and why must it be used with extreme caution?

Accepted Answer

The `pull_request_target` event poses a significant security risk because it executes workflows in the base repository's context, exposing secrets and write permissions to potentially malicious fork PRs. This makes it a prime attack vector. Incorrect options, such as A and C, misrepresent the event's scope and triggers. Option D is also incorrect, as it misunderstands the event's permission model.