Update content/actions/how-tos/security-for-github-actions/security-guides/security-hardening-for-github-actions.md

Sharra-writes · JarLob · web-flow · commit 49a0d0a2a728 · 2025-07-09T17:23:45.000-07:00
Co-authored-by: Jaroslav Lobačevski &lt;jarlob@github.com&gt;
diff --git a/content/actions/how-tos/security-for-github-actions/security-guides/security-hardening-for-github-actions.md b/content/actions/how-tos/security-for-github-actions/security-guides/security-hardening-for-github-actions.md
@@ -182,7 +182,7 @@ Avoid using the `pull_request_target` and `workflow_run` workflow triggers if no
 
 ### Do not use the `pull_request_target` and `workflow_run` workflow triggers with untrusted content
 
-Avoid using the `pull_request_target` and `workflow_run` workflow triggers with untrusted pull requests or code content. Workflows that use these triggers must not explicitly checkout untrusted code, including from pull request forks or from repositories that are not under your control.
+Avoid using the `pull_request_target` and `workflow_run` workflow triggers with untrusted pull requests or code content. Workflows that use these triggers must not explicitly checkout untrusted code, including from pull request forks or from repositories that are not under your control. Workflows triggered on `workflow_run` should treat artifacts uploaded from other workflows with caution (i.e. as untrusted).
 
 ### Use CodeQL to detect potentially vulnerable workflows
 
