github: Use pull_request_target as a target

And drop checkout action - not needed.

Due to the dangers inherent to automatic processing of PRs, GitHub’s standard
pull_request workflow trigger by default prevents write permissions and
secrets access to the target repository. However, in some scenarios such
access is needed to properly process the PR.

To this end the pull_request_target workflow trigger was introduced.

Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>

diff --git a/.github/workflows/base-branch-label.yml b/.github/workflows/base-branch-label.yml
index 9572ee7ee2572f5f0a77823dcf586c6a753fdc68..01da2809117b93f966da0f5dd978764f7d631eb6 100644 (file)
--- a/.github/workflows/base-branch-label.yml
+++ b/.github/workflows/base-branch-label.yml
@@ -1,7 +1,7 @@
 name: Add base branch label
 
 on:
-  pull_request:
+  pull_request_target:
     types:
       - opened
       - reopened
@@ -13,7 +13,6 @@ jobs:
       contents: read
       pull-requests: write
     steps:
-      - uses: actions/checkout@v2
       - uses: actions-ecosystem/action-add-labels@v1
         with:
           labels: |