# actions/checkout new default blocks untrusted fork code unsafe opt-out expose secrets fork pull request

Status: search-observed
Product: actions/checkout
Last verified: 2026-06-25
Canonical HTML: https://gitdocs.org/fix/actions-checkout-new-default-blocks-untrusted-fork-code-unsafe-opt-out-expose-secrets-fork-pull
Machine JSON: https://gitdocs.org/api/fixes/actions-checkout-new-default-blocks-untrusted-fork-code-unsafe-opt-out-expose-secrets-fork-pull.json

## Exact Symptom

See the observed Codex queries below.

## Diagnosis

Workflow YAML alone does not encode GitHub's current trust policy for forked refs and privileged events.

## Fix

```
Verifier checks that untrusted code is not executed with privileged credentials and that the intended trusted ref is checked out. Reject patches that simply expose secrets to fork code.
```

## Avoid

- Changing local code without checking the current external contract.
- Retrying the same install, build, or API call with no version/source change.
- Applying a broad unsafe bypass when a narrow compatibility fix is available.

## Observed Codex Queries

- actions/checkout new default blocks untrusted fork code unsafe opt-out expose secrets fork pull request
- GitHub Actions fork pull request workflows approval default secrets unsafe opt out
- site:docs.github.com actions pull_request_target checkout fork head secrets warning
- GitHub Docs pull_request_target warning checkout head sha fork secrets
- docs.github.com pull_request_target untrusted code build run secrets warning
- https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows
- 'pull_request_target' in https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows

## Sources

- Safer pull_request_target defaults for actions/checkout: https://github.blog/changelog/2026-06-18-safer-pull_request_target-defaults-for-github-actions-checkout/
- GitHub source file or repository reference: https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows