GitHub Actions hardens checkout security to block ‘pwn request’ attacks
Summary
GitHub has enhanced the security of its actions/checkout tool to combat 'pwn request' attacks. Version 7 now automatically blocks the fetching of unreviewed fork pull request code within pull_request_target or workflow_run events, aiming for a more secure default posture for developers.
IFF Assessment
This update strengthens security by default, making it harder for attackers to exploit vulnerabilities in the development workflow, thus benefiting defenders.
Defender Context
This change is significant for defenders as it addresses a known attack vector that exploits the trust inherent in pull request workflows. Developers and security teams should be aware of these new protections and ensure their CI/CD pipelines are configured to leverage them, and understand the implications of the 'allow-unsafe-pr-checkout' opt-out.