From 4588d0cb4955e47a7ad3c38963a018a0284ac990 Mon Sep 17 00:00:00 2001 From: Donatas Abraitis Date: Wed, 25 May 2022 19:07:40 +0300 Subject: [PATCH] github: Use pull_request_target as a target MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit And drop checkout action - not needed. Due to the dangers inherent to automatic processing of PRs, GitHub’s standard pull_request workflow trigger by default prevents write permissions and secrets access to the target repository. However, in some scenarios such access is needed to properly process the PR. To this end the pull_request_target workflow trigger was introduced. Signed-off-by: Donatas Abraitis --- .github/workflows/base-branch-label.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/base-branch-label.yml b/.github/workflows/base-branch-label.yml index 9572ee7ee2..01da280911 100644 --- a/.github/workflows/base-branch-label.yml +++ b/.github/workflows/base-branch-label.yml @@ -1,7 +1,7 @@ name: Add base branch label on: - pull_request: + pull_request_target: types: - opened - reopened @@ -13,7 +13,6 @@ jobs: contents: read pull-requests: write steps: - - uses: actions/checkout@v2 - uses: actions-ecosystem/action-add-labels@v1 with: labels: | -- 2.39.5