[stevekemp]

> the issue here is specifically with `pull_request_target`

I just went to github to search for references to that trigger-type, and I admit I was surprised at the sheer number of times it is visible in a code-search.

It seems like a common-pattern, sadly.

[woodruffw]

Yes, it’s shockingly common. I’m of the opinion that GitHub should remove it entirely, since only a tiny majority of uses of it are demonstrably safe.