actions/checkout
The standard GitHub Action that checks out your repo in CI. v7 now refuses to check out fork PR code by default under pull_request_target/workflow_run—a security default worth knowing if your agent edits workflows. ~129 stars today.
**The gist** `actions/checkout` checks out a repo into `$GITHUB_WORKSPACE` for GitHub Actions workflows. Current major is **v7** (June 18, 2026): it now **refuses to check out fork pull request code by default** under `pull_request_target` or `workflow_run`, migrated to **ESM**, and (since v6) stores credentials in `$RUNNER_TEMP` instead of `.git/config`.
**Why it matters** If you or your agent generate CI workflows, the v7 fork-PR default closes a common privilege-escalation footgun—opt back in only via `allow-unsafe-pr-checkout` after a risk review. Defaults to a single-commit fetch; use `fetch-depth: 0` for full history and `sparse-checkout` to grab only specific paths.
**The gist** `actions/checkout` checks out a repo into `$GITHUB_WORKSPACE` for GitHub Actions workflows. Current major is **v7** (June 18, 2026): it now **refuses to check out fork pull request code by default** under `pull_request_target` or `workflow_run`, migrated to **ESM**, and (since v6) stores credentials in `$RUNNER_TEMP` instead of `.git/config`.
**Why it matters** If you or your agent generate CI workflows, the v7 fork-PR default closes a common privilege-escalation footgun—opt back in only via `allow-unsafe-pr-checkout` after a risk review. Defaults to a single-commit fetch; use `fetch-depth: 0` for full history and `sparse-checkout` to grab only specific paths.
**Watch out** Recommended `permissions: { contents: read }`. Upgrading to v7 can break workflows that relied on the old fork-PR behavior or on credentials living in `.git/config`—test before bumping. ~15.3M dependents mean wide blast radius for any change.