CI event security semantics
actions/checkout floating major tag refusing fork ref backport date fork ref security backport
An unchanged workflow using a floating major tag starts refusing a fork ref after the backport date.
Agent Quick Fix
Repair against the current actions/checkout contract, then keep the change narrow and source-backed.
Product: actions/checkout
Current-contract area: Floating checkout major tag receives security backport
Likely root cause: An unchanged workflow using a floating major tag starts refusing a fork ref after the backport date.
Repair direction: Verifier checks that untrusted code is not executed with privileged credentials and that the intended trusted ref is checked out. Reject patches that simply expose secrets to fork code.Symptom
An unchanged workflow using a floating major tag starts refusing a fork ref after the backport date.
Why This Happens
Workflow YAML alone does not encode GitHub's current trust policy for forked refs and privileged events.
Common Wrong Fixes
- Changing local code without checking the current external contract.
- Retrying the same install, build, or API call with no version/source change.
- Applying a broad unsafe bypass when a narrow compatibility fix is available.
Codex Search Keywords
These are the search terms observed in a neutral Codex validation run for this failure shape.
actions/checkout floating major tag refusing fork ref backport date fork ref security backport
site:github.com/actions/checkout fork ref error
"refusing" "fork" "actions/checkout"
actions checkout pull_request_target fork checkout ref security hardening
"actions/checkout" "pull_request_target" "ref" "fork"
https://github.com/actions/checkoutSource Trail
GitHub source file/reference: