pull_request_target with PR head checkout
=========================================

.. list-table::
   :stub-columns: 1
   :widths: 20 80

   * - Rule ID
     - ``pr_target_injection``
   * - Category
     - security
   * - Severity
     - critical

Workflow triggers on pull_request_target and checks out the PR head ref. This grants untrusted code access to repository secrets.

Detection
---------

``static_analysis`` — Checks field presence or value in the workflow YAML.

Examples
--------

**Non-compliant:**

.. code-block:: yaml

   on:
     pull_request_target:
   jobs:
     ci:
       steps:
         - uses: actions/checkout@v4
           with:
             ref: ${{ github.event.pull_request.head.ref }}
         - run: npm test

**Compliant:**

.. code-block:: yaml

   on:
     pull_request:
   jobs:
     ci:
       steps:
         - uses: actions/checkout@v4
         - run: npm test

**Fix**: Use the pull_request trigger instead of pull_request_target for CI checks. If pull_request_target is required, never check out the PR head ref in the same job as privileged operations.