GitHub updates actions/checkout to block pwn requests
🔒 GitHub is updating the official actions/checkout action to refuse common pwn request patterns by default, effective June 18, 2026, with backports planned for July 16, 2026. The change prevents checking out forked pull request head or merge commits in pull_request_target and certain workflow_run events unless authors explicitly set allow-unsafe-pr-checkout to true. This aims to reduce attacks that exploit privileged workflows to steal secrets or the GITHUB_TOKEN.
