From 1a2ad13b7980253eb645823afd6228706f4028fb Mon Sep 17 00:00:00 2001 From: Afonso Jorge Ramos Date: Thu, 7 May 2026 19:11:08 +0200 Subject: [PATCH 1/2] ci(triage): use pull_request_target so labeler can write on fork PRs --- .github/workflows/triage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/triage.yml b/.github/workflows/triage.yml index 063a32689..02fffb508 100644 --- a/.github/workflows/triage.yml +++ b/.github/workflows/triage.yml @@ -1,7 +1,7 @@ name: Triage PR on: - pull_request: + pull_request_target: branches: - main types: From 3f556079e0d50e76d8735cab7857334e4fb9077d Mon Sep 17 00:00:00 2001 From: Afonso Jorge Ramos Date: Fri, 8 May 2026 13:53:21 +0200 Subject: [PATCH 2/2] ci(triage): document pull_request_target rationale and silence zizmor --- .github/workflows/triage.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/.github/workflows/triage.yml b/.github/workflows/triage.yml index 02fffb508..51a734ef6 100644 --- a/.github/workflows/triage.yml +++ b/.github/workflows/triage.yml @@ -1,7 +1,16 @@ name: Triage PR on: - pull_request_target: + # `pull_request_target` is required so the labeler/title-validator can + # write labels and statuses on PRs from forks (under `pull_request`, + # GitHub forces GITHUB_TOKEN to read-only for fork PRs). Safe here + # because this workflow: + # - never checks out PR code (no actions/checkout), + # - has no `run:` steps that interpolate PR fields, + # - only invokes SHA-pinned actions that read PR metadata via the API, + # - is locked behind required code-owner review (see .github/CODEOWNERS) + # so future edits cannot quietly add privileged execution surface. + pull_request_target: # zizmor: ignore[dangerous-triggers] branches: - main types: @@ -29,7 +38,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: read # the config file - pull-requests: write # for labeling pull requests (on: pull_request_target or on: pull_request) + pull-requests: write # for labeling pull requests statuses: write # to generate status checks: write # to generate status steps: