GitHub's standard pull_request workflow trigger by default prevents write permissions and secrets access to the target repository. However, in some scenarios, such access is needed to properly process the PR. To this end, the pull_request_target workflow trigger was introduced.
The pull_request_target runs in the context of the target repository of the PR, rather than in the merge commit. This means the standard checkout action uses the target repository to prevent accidental usage of the user-supplied code.
With all this said, if you can trust/validate all the input from a user's PR then you are in the most secure position.
To keep up to date on other vulnerabilities through GitHub, checkout GitHub's full vulnerability list.
https://securitylab.github.com/advisories
This is part of my 28 days of Actions series. To get notified of more GitHub Action tips, follow the GitHub organization right here on Dev.