Understanding the Security Risks of pull_request_target in GitHub Actions
June 19, 2026
githubsecuritydevsecopscicd
What is pull_request_target?
The pull_request_target event in GitHub Actions allows workflows to run in the context of the base branch rather than the pull request changes. While this can be useful, it introduces potential security risks that are often overlooked.
Why is it risky?
Workflows triggered by pull_request_target execute with the base repository's GITHUB_TOKEN and have access to repository secrets. If malicious code is introduced in the pull request, it could exploit this elevated level of access.
Best Practices
- Avoid using
pull_request_targetunless necessary. - Restrict access to sensitive secrets.
- Review workflows carefully when this event is involved.
Being mindful of these risks helps maintain a more secure CI/CD environment.