From 4d98b004ac4d294ef459a698a4803350c9872a82 Mon Sep 17 00:00:00 2001 From: Olaoluwa Osuntokun Date: Wed, 28 Jan 2026 15:18:19 -0400 Subject: [PATCH] workflows/pr-severity: use pull_request_target for fork PRs Switch from pull_request to pull_request_target to allow the workflow to run on PRs from forks. The pull_request trigger runs in the fork's context which cannot access repository secrets. This is safe because the workflow only reads PR metadata via the GitHub API (changed files, labels) and doesn't checkout or execute any code from the PR itself. --- .github/workflows/pr-severity.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr-severity.yml b/.github/workflows/pr-severity.yml index b8cbd3ad0c..cfce023de9 100644 --- a/.github/workflows/pr-severity.yml +++ b/.github/workflows/pr-severity.yml @@ -1,7 +1,10 @@ name: PR Severity Classification on: - pull_request: + # Use pull_request_target to allow running on fork PRs with access to secrets. + # This is safe because we don't checkout or execute any code from the PR - + # we only read PR metadata (changed files, labels) via the GitHub API. + pull_request_target: types: [opened, synchronize, labeled] permissions: