Commit 3c60481
authored
CI: Use pull_request_target for PR approval check (#4615)
The PR approval check workflow uses `pull_request`, which does not grant
the `GITHUB_TOKEN` write permissions for commit statuses on fork PRs.
This causes the check to silently fail on external contributions.
Switches to `pull_request_target`, which runs in the context of the base
branch and has the necessary permissions.
**Security notes** (also documented as comments in the workflow file):
- `pull_request_target` grants write access to the repository. This is
safe here because the workflow **only reads PR metadata via the GitHub
API** and never checks out, builds, or executes code from the PR branch.
- A clear `SECURITY` comment block at the top of the file explains why
`pull_request_target` is used and warns against adding a checkout step.
- An additional inline comment on the job warns against adding checkout
steps.
Co-authored-by: clockwork-labs-bot <clockwork-labs-bot@users.noreply.github.com>1 parent 4d7db10 commit 3c60481
1 file changed
Lines changed: 12 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
3 | 13 | | |
4 | | - | |
| 14 | + | |
5 | 15 | | |
6 | 16 | | |
7 | 17 | | |
| |||
21 | 31 | | |
22 | 32 | | |
23 | 33 | | |
| 34 | + | |
24 | 35 | | |
25 | 36 | | |
26 | 37 | | |
| |||
0 commit comments