atmos git clone Refuses Unsafe Fork Checkouts by Default
atmos git clone is Atmos's native replacement for actions/checkout. Mirroring the
actions/checkout v7 hardening,
it now refuses by default to clone untrusted fork content under the elevated
pull_request_target and workflow_run events — the classic "pwn request" where fork code
would run with your repository's secrets. A grep-able opt-in is available for the rare case
you genuinely need it.


