Update content/actions/how-tos/security-for-github-actions/security-guides/security-hardening-for-github-actions.md

Sharra-writes · JarLob · web-flow · commit 5a33ec208042 · 2025-07-09T17:25:00.000-07:00
Co-authored-by: Jaroslav Lobačevski &lt;jarlob@github.com&gt;
diff --git a/content/actions/how-tos/security-for-github-actions/security-guides/security-hardening-for-github-actions.md b/content/actions/how-tos/security-for-github-actions/security-guides/security-hardening-for-github-actions.md
@@ -178,7 +178,7 @@ There are a number of different approaches available to help you mitigate the ri
 
 ### Avoid potentially dangerous workflow triggers
 
-Avoid using the `pull_request_target` and `workflow_run` workflow triggers if not necessary. Only use these workflow triggers when the workflow actually needs the privileged context and access from the target repo to be available in the workflow.
+Avoid using the `pull_request_target` workflow trigger if not necessary. Prefer using `workflow_run` for privilege separation between workflows as described in [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests). Only use these workflow triggers when the workflow actually needs the privileged context.
 
 ### Do not use the `pull_request_target` and `workflow_run` workflow triggers with untrusted content
 
