{
  "id": "P024",
  "slug": "actions-checkout-floating-major-tag-refusing-fork-ref-backport-date-fork-ref-security-backport",
  "status": "search-observed",
  "product": "actions/checkout",
  "family": "CI event security semantics",
  "canonical_url": "https://gitdocs.org/fix/actions-checkout-floating-major-tag-refusing-fork-ref-backport-date-fork-ref-security-backport",
  "query_alias_url": "https://gitdocs.org/q/actions-checkout-floating-major-tag-refusing-fork-ref-backport-date-fork-ref-security-backport",
  "markdown_url": "https://gitdocs.org/fix/actions-checkout-floating-major-tag-refusing-fork-ref-backport-date-fork-ref-security-backport.md",
  "json_url": "https://gitdocs.org/api/fixes/actions-checkout-floating-major-tag-refusing-fork-ref-backport-date-fork-ref-security-backport.json",
  "canonical_query": "actions/checkout floating major tag refusing fork ref backport date fork ref security backport",
  "observed_codex_queries": [
    "actions/checkout floating major tag refusing fork ref backport date fork ref security backport",
    "site:github.com/actions/checkout fork ref error",
    "\"refusing\" \"fork\" \"actions/checkout\"",
    "actions checkout pull_request_target fork checkout ref security hardening",
    "\"actions/checkout\" \"pull_request_target\" \"ref\" \"fork\"",
    "https://github.com/actions/checkout"
  ],
  "organic_dependency_search_count": 6,
  "affected_versions": "",
  "exact_errors": [],
  "diagnosis": "Workflow YAML alone does not encode GitHub's current trust policy for forked refs and privileged events.",
  "before": "",
  "after": "",
  "verification": "Verifier checks that untrusted code is not executed with privileged credentials and that the intended trusted ref is checked out. Reject patches that simply expose secrets to fork code.",
  "unsafe_fixes": [
    "Changing local code without checking the current external contract.",
    "Retrying the same install, build, or API call with no version/source change.",
    "Applying a broad unsafe bypass when a narrow compatibility fix is available."
  ],
  "last_verified_at": "2026-06-25",
  "neutral_validation": {
    "organic_search_observed": true,
    "organic_strict_pass": true,
    "no_web_counterfactual_run": false,
    "no_web_strict_pass": null,
    "search_necessity_under_fixture": null,
    "no_web_oracle_note": "Observed query evidence is separated from necessity proof; no-web and stale-contract counterfactuals should be tracked separately."
  },
  "source_trail": [
    {
      "url": "https://github.blog/changelog/2026-06-18-safer-pull_request_target-defaults-for-github-actions-checkout/",
      "label": "Safer pull_request_target defaults for actions/checkout"
    },
    {
      "url": "https://github.com/actions/checkout",
      "label": "GitHub source file or repository reference"
    }
  ],
  "source_github_links": [
    {
      "url": "https://github.com/actions/checkout",
      "label": "GitHub source file or repository reference"
    }
  ]
}