diff --git a/README.md b/README.md index 5014988..f184d30 100644 --- a/README.md +++ b/README.md @@ -164,9 +164,9 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/ # Required to check out fork pull request code from a workflow triggered by # `pull_request_target` or `workflow_run`. These workflows run with the base # repository's GITHUB_TOKEN, secrets, default-branch cache scope, and runner - # access; fetching a fork's code in that trusted context is a "pwn request" - # supply-chain attack pattern. Set to `true` only after reviewing the risks at - # https://gh.io/allow-unsafe-pr-checkout. + # access; fetching and executing a fork's code in that trusted context commonly + # leads to "pwn request" vulnerabilities. Set to `true` only after reviewing the + # risks at https://gh.io/securely-using-pull-request-checkout. # Default: false allow-unsafe-pr-checkout: '' ``` diff --git a/action.yml b/action.yml index a2a5a1d..a7321f2 100644 --- a/action.yml +++ b/action.yml @@ -103,9 +103,9 @@ inputs: Required to check out fork pull request code from a workflow triggered by `pull_request_target` or `workflow_run`. These workflows run with the base repository's GITHUB_TOKEN, secrets, default-branch cache scope, and - runner access; fetching a fork's code in that trusted context is a - "pwn request" supply-chain attack pattern. Set to `true` only after - reviewing the risks at https://gh.io/allow-unsafe-pr-checkout. + runner access; fetching and executing a fork's code in that trusted + context commonly leads to "pwn request" vulnerabilities. Set to `true` + only after reviewing the risks at https://gh.io/securely-using-pull-request-checkout. default: false outputs: ref: diff --git a/dist/index.js b/dist/index.js index 1e0b022..97b462a 100644 --- a/dist/index.js +++ b/dist/index.js @@ -2832,10 +2832,10 @@ function assertSafePrCheckout(input) { } throw new Error(`Refusing to check out fork pull request code from a '${eventName}' workflow. ` + `This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` + - `cache scope, and runner access. Fetching fork's code in that trusted context is a ` + - `"pwn request" supply-chain attack pattern. To opt in after reviewing the risks at ` + - `https://gh.io/allow-unsafe-pr-checkout, set 'allow-unsafe-pr-checkout: true' on the ` + - `actions/checkout step.`); + `cache scope, and runner access. Fetching and executing a fork's code in that trusted ` + + `context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` + + `the risks at https://gh.io/securely-using-pull-request-checkout, set ` + + `'allow-unsafe-pr-checkout: true' on the actions/checkout step.`); } function pushIfSha(target, value) { if (typeof value === 'string' && value.length > 0) { diff --git a/src/unsafe-pr-checkout-helper.ts b/src/unsafe-pr-checkout-helper.ts index 7992caf..f3ff242 100644 --- a/src/unsafe-pr-checkout-helper.ts +++ b/src/unsafe-pr-checkout-helper.ts @@ -74,10 +74,10 @@ export function assertSafePrCheckout(input: IUnsafePrCheckoutInput): void { throw new Error( `Refusing to check out fork pull request code from a '${eventName}' workflow. ` + `This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` + - `cache scope, and runner access. Fetching fork's code in that trusted context is a ` + - `"pwn request" supply-chain attack pattern. To opt in after reviewing the risks at ` + - `https://gh.io/allow-unsafe-pr-checkout, set 'allow-unsafe-pr-checkout: true' on the ` + - `actions/checkout step.` + `cache scope, and runner access. Fetching and executing a fork's code in that trusted ` + + `context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` + + `the risks at https://gh.io/securely-using-pull-request-checkout, set ` + + `'allow-unsafe-pr-checkout: true' on the actions/checkout step.` ) }