Skip to main content

atmos git clone Refuses Unsafe Fork Checkouts by Default

· 2 min read
Erik Osterman
Founder @ Cloud Posse

atmos git clone is Atmos's native replacement for actions/checkout. Mirroring the actions/checkout v7 hardening, it now refuses by default to clone untrusted fork content under the elevated pull_request_target and workflow_run events — the classic "pwn request" where fork code would run with your repository's secrets. A grep-able opt-in is available for the rare case you genuinely need it.

What Changed

When you run atmos git clone inside a pull_request_target or workflow_run workflow — which execute with your base repository's secrets, GITHUB_TOKEN, and cloud credentials — Atmos now refuses to clone fork content unless you explicitly opt in. The gate triggers only on the genuinely dangerous combination:

  • an explicit --branch / ref override that is a pull-request ref (e.g. refs/pull/<N>/merge or refs/pull/<N>/head), or
  • an ad hoc clone URI whose owner/repo differs from the base GITHUB_REPOSITORY.

The safe no-arg checkout (your base repository at its base ref) is never gated, and the low-privilege pull_request, push, and merge_group events are unaffected.

Why This Matters

pull_request_target and workflow_run are exactly the events GitHub hardened in actions/checkout v7, because checking out a fork's PR code while holding the base repository's secrets lets a malicious contributor exfiltrate those secrets. Since atmos git clone fills the same role as actions/checkout, it inherited the same risk — and now it gets the same fail-closed default.

How to Use It

Nothing to do for the common case: base checkouts and pull_request workflows keep working. For fork contributions, prefer a pull_request workflow (fork secrets are withheld) for any clone-and-plan, and reserve pull_request_target / workflow_run for trusted, secret-free steps.

If you have a deliberate, reviewed reason to bypass the gate, the opt-in is intentionally easy to spot in code review and static analysis:

# atmos.yaml
ci:
allow_unsafe_fork_execution: true

or per-invocation via the --allow-unsafe-fork flag or the ATMOS_ALLOW_UNSAFE_FORK_EXECUTION environment variable.

Get Involved

See the atmos git clone docs for the full behavior matrix, and the CI configuration reference for the opt-in setting.