Update content/actions/how-tos/security-for-github-actions/security-guides/security-hardening-for-github-actions.md

Co-authored-by: Jaroslav Lobačevski <[email protected]>
Co-authored-by: Will Slattum <[email protected]>

Author: 3 people

content/actions/reference/security/secure-use.md

@@ -109,7 +109,7 @@ To help mitigate the risk of an exposed token, consider restricting the assigned
 
 ## Understanding the risks of untrusted code checkout
 
-Similar to script injection attacks, untrusted pull request content that automatically triggers Actions processing can also pose a security risk. The `pull_request_target` and `workflow_run` workflow triggers, when used with the checkout of an untrusted pull request, expose the repository to security compromises. These workflows have write access and access to secrets in the target repository, which can be exploited to take over a repository.
+Similar to script injection attacks, untrusted pull request content that automatically triggers Actions processing can also pose a security risk. The `pull_request_target` and `workflow_run` workflow triggers, when used with the checkout of an untrusted pull request, expose the repository to security compromises. These workflows are privileged (i.e. they share the same cache of the main branch with other privileged workflow triggers, may have repository write access and access to referenced secrets), which can be exploited to take over a repository.
 
 Review the [`pull_request_target` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) and the [`workflow_run` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflow-run) for more information on these triggers, how to use them, and the risks associated with them.