Fix to improve security around creation of pull requests in public repos

We've shipped a small fix to improve security around creation of pull requests in public repos.

Prior to this fix and under very specific conditions, a user could create a pull request in a public repo even though they did not have push access to either the base or head branch and were not a member of the repo's organization. Often these pull requests were created by mistake and quickly closed, but could still trigger unexpected GitHub Actions or other CI jobs.

This fix has no impact on the common open source workflow where a user forks a public repo, makes a change in their fork, and then proposes their change using a pull request. This fix also has no impact on pull requests already created.

We want to hear from you! Let us know if you have questions or feedback.

JUN.12Retired
GitHub Actions: Minimum version enforcement timeline for self-hosted runners
- Actions
JUN.11Improvement
Bot-created pull requests can run workflows if approved
- Actions
JUN.11Release
New runner images in public preview
- Actions
JUN.11Release
GitHub Agentic Workflows is now in public preview
- Actions
MAY.14Improvement
GitHub Actions: Upcoming image migrations
- Actions
MAY.7Improvement
GitHub Actions concurrency groups now allow larger queues
- Actions
APR.27Improvement
Copilot cloud agent starts 20% faster with Actions custom images
- Actions
APR.27Release
GitHub Copilot code review will start consuming GitHub Actions minutes on June 1, 2026
- Actions
APR.24Improvement
Notice about upcoming new format for GitHub App installation tokens
- Actions

Fix to improve security around creation of pull requests in public repos

Related Posts

Subscribe to our developer newsletter