Security: pr-quality-check.yaml workflow is vulnerable to code execution and token theft from fork PRs

## Summary

Your `pr-quality-check.yaml` workflow is vulnerable to the classic ["Pwn Request"](https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/) pattern — it uses `pull_request_target` to check out and execute untrusted fork code with `contents: write` and `pull-requests: write` permissions. This was recently exploited by an automated bot that achieved remote code execution and **exfiltrated the GITHUB_TOKEN** from this repository.

Between February 28, 2026, the `hackerbot-claw` bot opened 6 pull requests against this repository ([#6058](https://github.com/avelino/awesome-go/pull/6058), [#6059](https://github.com/avelino/awesome-go/pull/6059), [#6060](https://github.com/avelino/awesome-go/pull/6060), [#6061](https://github.com/avelino/awesome-go/pull/6061), [#6068](https://github.com/avelino/awesome-go/pull/6068), [#6069](https://github.com/avelino/awesome-go/pull/6069)). 

## Recommended fixes

1. **Switch from `pull_request_target` to `pull_request`** — Fork PRs won't have access to secrets with `pull_request`. This is the simplest and safest fix.



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security: pr-quality-check.yaml workflow is vulnerable to code execution and token theft from fork PRs #6077

Summary

Recommended fixes

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

Security: pr-quality-check.yaml workflow is vulnerable to code execution and token theft from fork PRs #6077

Description

Summary

Recommended fixes

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions