update description and url again

2026-06-16 00:39:41 +00:00 · 2026-06-15 21:07:44 +00:00
parent cb140b4908
commit baaeba4a5e
4 changed files with 14 additions and 14 deletions
@@ -164,9 +164,9 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
    # Required to check out fork pull request code from a workflow triggered by
    # `pull_request_target` or `workflow_run`. These workflows run with the base
    # repository's GITHUB_TOKEN, secrets, default-branch cache scope, and runner
-    # access; fetching a fork's code in that trusted context is a "pwn request"
+    # access; fetching and executing a fork's code in that trusted context commonly
-    # supply-chain attack pattern. Set to `true` only after reviewing the risks at
+    # leads to "pwn request" vulnerabilities. Set to `true` only after reviewing the
-    # https://gh.io/allow-unsafe-pr-checkout.
+    # risks at https://gh.io/securely-using-pull-request-checkout.
    # Default: false
    allow-unsafe-pr-checkout: ''
 ```
@@ -103,9 +103,9 @@ inputs:
      Required to check out fork pull request code from a workflow triggered by
      `pull_request_target` or `workflow_run`. These workflows run with the
      base repository's GITHUB_TOKEN, secrets, default-branch cache scope, and
-      runner access; fetching a fork's code in that trusted context is a
+      runner access; fetching and executing a fork's code in that trusted
-      "pwn request" supply-chain attack pattern. Set to `true` only after
+      context commonly leads to "pwn request" vulnerabilities. Set to `true`
-      reviewing the risks at https://gh.io/allow-unsafe-pr-checkout.
+      only after reviewing the risks at https://gh.io/securely-using-pull-request-checkout.
    default: false
 outputs:
  ref:
@@ -2832,10 +2832,10 @@ function assertSafePrCheckout(input) {
    }
    throw new Error(`Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
        `This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
-        `cache scope, and runner access. Fetching fork's code in that trusted context is a ` +
+        `cache scope, and runner access. Fetching and executing a fork's code in that trusted ` +
-        `"pwn request" supply-chain attack pattern. To opt in after reviewing the risks at ` +
+        `context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` +
-        `https://gh.io/allow-unsafe-pr-checkout, set 'allow-unsafe-pr-checkout: true' on the ` +
+        `the risks at https://gh.io/securely-using-pull-request-checkout, set ` +
-        `actions/checkout step.`);
+        `'allow-unsafe-pr-checkout: true' on the actions/checkout step.`);
 }
 function pushIfSha(target, value) {
    if (typeof value === 'string' && value.length > 0) {
@@ -74,10 +74,10 @@ export function assertSafePrCheckout(input: IUnsafePrCheckoutInput): void {
  throw new Error(
    `Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
      `This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
-      `cache scope, and runner access. Fetching fork's code in that trusted context is a ` +
+      `cache scope, and runner access. Fetching and executing a fork's code in that trusted ` +
-      `"pwn request" supply-chain attack pattern. To opt in after reviewing the risks at ` +
+      `context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` +
-      `https://gh.io/allow-unsafe-pr-checkout, set 'allow-unsafe-pr-checkout: true' on the ` +
+      `the risks at https://gh.io/securely-using-pull-request-checkout, set ` +
-      `actions/checkout step.`
+      `'allow-unsafe-pr-checkout: true' on the actions/checkout step.`
  )
 }