# actions/checkout floating major tag refusing fork ref backport date fork ref security backport

Status: search-observed
Product: actions/checkout
Last verified: 2026-06-25
Canonical HTML: https://gitdocs.org/fix/actions-checkout-floating-major-tag-refusing-fork-ref-backport-date-fork-ref-security-backport
Machine JSON: https://gitdocs.org/api/fixes/actions-checkout-floating-major-tag-refusing-fork-ref-backport-date-fork-ref-security-backport.json

## Exact Symptom

See the observed Codex queries below.

## Diagnosis

Workflow YAML alone does not encode GitHub's current trust policy for forked refs and privileged events.

## Fix

```
Verifier checks that untrusted code is not executed with privileged credentials and that the intended trusted ref is checked out. Reject patches that simply expose secrets to fork code.
```

## Avoid

- Changing local code without checking the current external contract.
- Retrying the same install, build, or API call with no version/source change.
- Applying a broad unsafe bypass when a narrow compatibility fix is available.

## Observed Codex Queries

- actions/checkout floating major tag refusing fork ref backport date fork ref security backport
- site:github.com/actions/checkout fork ref error
- "refusing" "fork" "actions/checkout"
- actions checkout pull_request_target fork checkout ref security hardening
- "actions/checkout" "pull_request_target" "ref" "fork"
- https://github.com/actions/checkout

## Sources

- Safer pull_request_target defaults for actions/checkout: https://github.blog/changelog/2026-06-18-safer-pull_request_target-defaults-for-github-actions-checkout/
- GitHub source file or repository reference: https://github.com/actions/checkout