fix(ci): make docs-governance fork-PR safe under actions/checkout v7#5885
Merged
jamesarich merged 1 commit intoJun 20, 2026
Merged
Conversation
actions/checkout@v7 refuses fork checkout under pull_request_target (pwn-request guard), failing the 'Docs quality gates' check on every fork PR. Split docs-governance by trust level: - validate (Docs quality gates) -> pull_request (fork context, read-only token, no secrets) so it can safely check out + run fork node scripts. - staleness / preview-staleness stay on pull_request_target for the write token but no longer check out fork code; they read the changed-file list via 'gh pr diff --name-only'. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
actions/checkout@v7refuses to check out fork PR code from apull_request_targetworkflow (the "pwn request" guard).docs-governance.ymlruns all three of its jobs onpull_request_targetand checks out the fork'shead.sha, so every fork PR now fails the Docs quality gates check at the checkout step (e.g. #5856). The two staleness jobs are currently masked only because they're dismissed byskip-docs-check/skip-preview-checklabels — they carry the same latent failure.🛠️ What
Split the workflow by trust level instead of opting into the unsafe flag:
validate(Docs quality gates) now runs onpull_request. It must check out and execute fork-supplied code (node scripts/*.js); underpull_requestthe token is read-only and secrets are unavailable, so that execution is safe. It is skipped onpull_request_target.staleness/preview-stalenessstay onpull_request_target(they need the write token to post advisory comments) but no longer check out fork code — they read the changed-file list viagh pr diff --name-only. No fork code is fetched or executed.This deliberately avoids
allow-unsafe-pr-checkout: true, which would run fork-controlled scripts with the base write token and secrets (RCE).Notes
main:pull_request_targetjobs use the base workflow immediately; thevalidatecheck runs for a fork PR after it next mergesmain(thepull_requesttrigger comes from the PR head's copy).validate's doc checks never actually ran before (they died at checkout); this lets them run. Any real doc-link/coverage failures they surface are separate from this infra fix.Testing Performed
actionlintpasses (only a pre-existing SC2129 shellcheck style note in untouched code).🤖 Generated with Claude Code