update urls

action.yml

@@ -101,8 +101,11 @@ inputs:
   allow-unsafe-pr-checkout:
     description: >
       Required to check out fork pull request code from a workflow triggered by
-      `pull_request_target` or `workflow_run`. See [Pwn Requests](todo:need-link)
-      for the risks. Set to `true` only after reviewing the risks.
+      `pull_request_target` or `workflow_run`. These workflows run with the
+      base repository's GITHUB_TOKEN, secrets, default-branch cache scope, and
+      runner access; fetching a fork's code in that trusted context is a
+      "pwn request" supply-chain attack pattern. Set to `true` only after
+      reviewing the risks at https://gh.io/allow-unsafe-pr-checkout.
     default: false
 outputs:
   ref: