[aw-compat] Codemod gap: pull_request_target + explicit checkout is not auto-remediated by `gh aw fix`

[github-actions]

Problem

The pull-request-target-checkout-false codemod heals the common case of on.pull_request_target + implicit checkout, but silently skips workflows that declare an explicit checkout: block, leaving them broken under --strict with no automated remediation and no diagnostic.

Today's cross-repo audit observed this error signature in 2 of 20 repositories — one auto-healed, one not:

Repo	Has explicit checkout:?	gh aw fix result
runhey/OnmyojiAutoScript	No	✅ healed (checkout: false added)
Azure/azure-sdk-for-net	Yes (sparse-checkout)	❌ skipped → still fails

Error

mgmt-review.md:1:1: error: pull_request_target trigger with checkout enabled is extremely insecure.

Why the codemod skips it

Per --list-codemods, pull-request-target-checkout-false is documented as:

Adds checkout: false to workflows using on.pull_request_target when checkout is not disabled and no explicit checkout command is detected.

Azure/azure-sdk-for-net's mgmt-review.md declares an explicit checkout:

on:
  pull_request_target:
    types: [opened, reopened, synchronize]
checkout:
  sparse-checkout: |
    .github

Because an explicit checkout: is present, the codemod (correctly) declines to flip it — auto-changing an intentional checkout could silently alter behaviour. But the result is a dead end: fix reports success while the workflow still fails to compile.

Proposal

This is hard to auto-fix safely (you can't blindly turn an intentional sparse-checkout into checkout: false), so the actionable improvement is diagnostic, not silent skip:

1. When gh aw fix encounters pull_request_target + an explicit checkout: block, emit an explicit, actionable message instead of skipping quietly — e.g.:

   pull_request_target + explicit checkout: cannot be auto-remediated. Either switch to the pull_request trigger, or set checkout: false and add an explicit checkout of a trusted ref. The .github-only sparse checkout here is likely safe to convert to checkout: false.

2. Optionally offer an opt-in transform (behind a flag/prompt) for the narrow, demonstrably-safe case where the sparse-checkout only touches .github/** (no PR-controlled source), converting it to checkout: false.

Acceptance criteria

• gh aw fix no longer reports "fixed" for a workflow that remains broken on this pattern.
• The fix/compile output names the pull_request_target + explicit-checkout combination and links to the safe pattern.
• (Optional) An opt-in path handles the .github-only sparse-checkout case.

Representative repositories

• Azure/azure-sdk-for-net — .github/workflows/mgmt-review.md (not healed)
• runhey/OnmyojiAutoScript — .github/workflows/pr-review-*.md (healed, baseline for expected behaviour)

Source: daily [aw-compat] cross-repo compilation audit, build 85015b1.

Generated by 🔧 Daily AW Cross-Repo Compile Check · 259 AIC · ◷

• expires on Jun 12, 2026, 10:17 AM UTC

[pelikhan]

@copilot in this case,
the proper fix is to ensure checkout of the base branch.

Either no red, repository is provided (default behavior)

Or

...
ref: ${{ github.event.pull_request.base.sha }}
repository: ${{ github.repository }}