From 05aa1e5bb412bf00f60524f433ec33689f14e2e5 Mon Sep 17 00:00:00 2001
From: ylemkimon <y@ylem.kim>
Date: Sun, 9 Aug 2020 21:54:36 +0900
Subject: [PATCH] Update README regarding `pull_request_target`

---
 README.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/README.md b/README.md
index 9c56a6f..bab66f6 100644
--- a/README.md
+++ b/README.md
@@ -119,6 +119,7 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 - [Checkout pull request HEAD commit instead of merge commit](#Checkout-pull-request-HEAD-commit-instead-of-merge-commit)
 - [Checkout pull request on closed event](#Checkout-pull-request-on-closed-event)
 - [Push a commit using the built-in token](#Push-a-commit-using-the-built-in-token)
+- [Checkout pull request on `pull_request_target`](#Checkout-pull-request-on-pull_request_target)
 
 ## Fetch all history for all tags and branches
 
@@ -214,6 +215,22 @@ jobs:
       - uses: actions/checkout@v2
 ```
 
+## Checkout pull request on `pull_request_target`
+
+```yaml
+on:
+  - pull_request_target
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          ref: refs/pull/${{ github.event.pull_request.number }}/head
+```
+
+**WARNING! NEVER** run code from pull requests of public repositories! The token of `pull_request_target` event has write access.
+
 ## Push a commit using the built-in token
 
 ```yaml