From 9cfad70759fd52c556e077b0f6f993f228b2c4a1 Mon Sep 17 00:00:00 2001 From: Aiqiao Yan <55104035+aiqiaoy@users.noreply.github.com> Date: Wed, 17 Jun 2026 13:51:53 -0400 Subject: [PATCH] update error wording (#2467) --- dist/index.js | 6 +++--- src/unsafe-pr-checkout-helper.ts | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/dist/index.js b/dist/index.js index 7e6459a..1b04da9 100644 --- a/dist/index.js +++ b/dist/index.js @@ -13407,9 +13407,9 @@ function assertSafePrCheckout(input) { throw new Error(`Refusing to check out fork pull request code from a '${eventName}' workflow. ` + `This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` + `cache scope, and runner access. Fetching and executing a fork's code in that trusted ` + - `context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` + - `the risks at https://gh.io/securely-using-pull_request_target, set ` + - `'allow-unsafe-pr-checkout: true' on the actions/checkout step.`); + `context commonly leads to "pwn request" vulnerabilities. To opt in, review the risks ` + + `at https://gh.io/securely-using-pull_request_target and set 'allow-unsafe-pr-checkout: true' ` + + `on the actions/checkout step.`); } exports.assertSafePrCheckout = assertSafePrCheckout; function pushIfSha(target, value) { diff --git a/src/unsafe-pr-checkout-helper.ts b/src/unsafe-pr-checkout-helper.ts index efc0ef6..f6bf389 100644 --- a/src/unsafe-pr-checkout-helper.ts +++ b/src/unsafe-pr-checkout-helper.ts @@ -75,9 +75,9 @@ export function assertSafePrCheckout(input: IUnsafePrCheckoutInput): void { `Refusing to check out fork pull request code from a '${eventName}' workflow. ` + `This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` + `cache scope, and runner access. Fetching and executing a fork's code in that trusted ` + - `context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` + - `the risks at https://gh.io/securely-using-pull_request_target, set ` + - `'allow-unsafe-pr-checkout: true' on the actions/checkout step.` + `context commonly leads to "pwn request" vulnerabilities. To opt in, review the risks ` + + `at https://gh.io/securely-using-pull_request_target and set 'allow-unsafe-pr-checkout: true' ` + + `on the actions/checkout step.` ) }