You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on May 20, 2026. It is now read-only.
Automated security scan flagged a pull_request_target workflow in your repo that checks out the PR's head SHA / ref. This is the classic GitHub Actions RCE pattern: an external contributor can submit a PR that adds arbitrary code, and the workflow runs that code with access to your repository secrets.
I'm not posting the specific file/line here for responsible-disclosure reasons.
Please contact me at Raffa@Lictor-AI.com and I'll send the exact workflow file + line that does the checkout + a 2-line patch.
The fix is usually one of:
Switch to pull_request (no secret access)
Keep pull_request_target but check out the base SHA only, never the head
Add a permissions: block + restrict the secrets the workflow can read
Hi —
Automated security scan flagged a
pull_request_targetworkflow in your repo that checks out the PR's head SHA / ref. This is the classic GitHub Actions RCE pattern: an external contributor can submit a PR that adds arbitrary code, and the workflow runs that code with access to your repository secrets.I'm not posting the specific file/line here for responsible-disclosure reasons.
Please contact me at Raffa@Lictor-AI.com and I'll send the exact workflow file + line that does the checkout + a 2-line patch.
The fix is usually one of:
pull_request(no secret access)pull_request_targetbut check out the base SHA only, never the headpermissions:block + restrict the secrets the workflow can readReferences:
A note: this came from an automated scan I manually verified before reaching out. If we're wrong, please reply and we'll close out.
— Raffa
Lictor AI · https://lictorai.com