From 05aa1e5bb412bf00f60524f433ec33689f14e2e5 Mon Sep 17 00:00:00 2001
From: ylemkimon <y@ylem.kim>
Date: Sun, 9 Aug 2020 21:54:36 +0900
Subject: [PATCH 1/3] Update README regarding `pull_request_target`

---
 README.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/README.md b/README.md
index 9c56a6f..bab66f6 100644
--- a/README.md
+++ b/README.md
@@ -119,6 +119,7 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 - [Checkout pull request HEAD commit instead of merge commit](#Checkout-pull-request-HEAD-commit-instead-of-merge-commit)
 - [Checkout pull request on closed event](#Checkout-pull-request-on-closed-event)
 - [Push a commit using the built-in token](#Push-a-commit-using-the-built-in-token)
+- [Checkout pull request on `pull_request_target`](#Checkout-pull-request-on-pull_request_target)
 
 ## Fetch all history for all tags and branches
 
@@ -214,6 +215,22 @@ jobs:
       - uses: actions/checkout@v2
 ```
 
+## Checkout pull request on `pull_request_target`
+
+```yaml
+on:
+  - pull_request_target
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          ref: refs/pull/${{ github.event.pull_request.number }}/head
+```
+
+**WARNING! NEVER** run code from pull requests of public repositories! The token of `pull_request_target` event has write access.
+
 ## Push a commit using the built-in token
 
 ```yaml

From 4c4d2b5a39761bb8a521b5fa0355d08a2b5592c3 Mon Sep 17 00:00:00 2001
From: ylemkimon <y@ylem.kim>
Date: Sun, 9 Aug 2020 21:59:31 +0900
Subject: [PATCH 2/3] Update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index bab66f6..87117b0 100644
--- a/README.md
+++ b/README.md
@@ -118,8 +118,8 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 - [Checkout multiple repos (private)](#Checkout-multiple-repos-private)
 - [Checkout pull request HEAD commit instead of merge commit](#Checkout-pull-request-HEAD-commit-instead-of-merge-commit)
 - [Checkout pull request on closed event](#Checkout-pull-request-on-closed-event)
-- [Push a commit using the built-in token](#Push-a-commit-using-the-built-in-token)
 - [Checkout pull request on `pull_request_target`](#Checkout-pull-request-on-pull_request_target)
+- [Push a commit using the built-in token](#Push-a-commit-using-the-built-in-token)
 
 ## Fetch all history for all tags and branches
 

From f16eddee8410930a20309c41063631c4177643a5 Mon Sep 17 00:00:00 2001
From: ylemkimon <y@ylem.kim>
Date: Tue, 15 Sep 2020 04:37:09 +0900
Subject: [PATCH 3/3] Update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 87117b0..a714c0f 100644
--- a/README.md
+++ b/README.md
@@ -226,7 +226,7 @@ jobs:
     steps:
       - uses: actions/checkout@v2
         with:
-          ref: refs/pull/${{ github.event.pull_request.number }}/head
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
 ```
 
 **WARNING! NEVER** run code from pull requests of public repositories! The token of `pull_request_target` event has write access.