Update content/actions/how-tos/security-for-github-actions/security-guides/security-hardening-for-github-actions.md

Sharra-writes · JarLob · wrslatz · wrslatz · commit f6168b7c8c6d · 2025-07-10T09:39:30.000-04:00
Co-authored-by: Jaroslav Lobačevski &lt;jarlob@github.com&gt;
Co-authored-by: Will Slattum &lt;wrslatz@gmail.com&gt;
diff --git a/content/actions/how-tos/security-for-github-actions/security-guides/security-hardening-for-github-actions.md b/content/actions/how-tos/security-for-github-actions/security-guides/security-hardening-for-github-actions.md
@@ -182,7 +182,7 @@ Avoid using the `pull_request_target` and `workflow_run` workflow triggers if no
 
 ### Do not use the `pull_request_target` and `workflow_run` workflow triggers with untrusted content
 
-Avoid using the `pull_request_target` and `workflow_run` workflow triggers with untrusted pull requests or code content. Workflows that use these triggers must not explicitly checkout untrusted code, including from pull request forks or from repositories that are not under your control.
+Avoid using the `pull_request_target` and `workflow_run` workflow triggers with untrusted pull requests or code content. Workflows that use these triggers must not explicitly checkout untrusted code, including from pull request forks or from repositories that are not under your control. Workflows triggered on `workflow_run` should treat artifacts uploaded from other workflows with caution (i.e. as untrusted).
 
 ### Use CodeQL to detect potentially vulnerable workflows
 
