Merge f16eddee84 into 85e6279cec

* Update README.md

* Update README.md

Co-authored-by: Josh Gross <joshmgross@github.com>

---------

Co-authored-by: Josh Gross <joshmgross@github.com>

README.md

@@ -142,6 +142,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 - [Checkout multiple repos (private)](#Checkout-multiple-repos-private)
 - [Checkout pull request HEAD commit instead of merge commit](#Checkout-pull-request-HEAD-commit-instead-of-merge-commit)
 - [Checkout pull request on closed event](#Checkout-pull-request-on-closed-event)
+- [Checkout pull request on `pull_request_target`](#Checkout-pull-request-on-pull_request_target)
 - [Push a commit using the built-in token](#Push-a-commit-using-the-built-in-token)
 - [Push a commit to a PR using the built-in token](#Push-a-commit-to-a-PR-using-the-built-in-token)
 
@@ -269,6 +270,22 @@ jobs:
       - uses: actions/checkout@v4
 ```
 
+## Checkout pull request on `pull_request_target`
+
+```yaml
+on:
+  - pull_request_target
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
+```
+
+**WARNING! NEVER** run code from pull requests of public repositories! The token of `pull_request_target` event has write access.
+
 ## Push a commit using the built-in token
 
 ```yaml
@@ -311,8 +328,17 @@ jobs:
           git commit -m "generated"
           git push
 ```
+
 *NOTE:* The user email is `{user.id}+{user.login}@users.noreply.github.com`. See users API: https://api.github.com/users/github-actions%5Bbot%5D
 
+# Recommended permissions
+
+When using the `checkout` action in your GitHub Actions workflow, it is recommended to set the following `GITHUB_TOKEN` permissions to ensure proper functionality, unless alternative auth is provided via the `token` or `ssh-key` inputs:
+
+```yaml
+permissions:
+  contents: read
+```
 
 # License