fix: remove pull_request_target from cla - BED-7555

[mykeelium]

Description

remove pull request target from cla

Motivation and Context

Resolves BED-7555

How Has This Been Tested?

Screenshots (if appropriate):

Types of changes

• Chore (a change that does not modify the application functionality)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• Documentation updates are needed, and have been made accordingly.
• I have added and/or updated tests to cover my changes.
• All new and existing tests passed.
• My changes include a database migration.

Summary by CodeRabbit

• Chores
  • Updated CI workflow behavior for pull request handling to align automation with current PR events.
  • Updated the vulnerability scan action to a pinned release version for more stable, reproducible scan runs.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c0d9ac9 and 3081049.

📒 Files selected for processing (1)

• .github/workflows/vuln-scan.yml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/vuln-scan.yml

---

Walkthrough

Updates two GitHub Actions workflows: .github/workflows/cla.yml changes the trigger and condition from pull_request_target to pull_request; .github/workflows/vuln-scan.yml updates the Trivy action reference from a commit hash to tag 0.34.2.

Changes

Cohort / File(s)	Summary
CLA workflow .github/workflows/cla.yml	Swapped workflow trigger from pull_request_target to pull_request and updated the CLA step condition to match the new event name.
Vulnerability scan workflow .github/workflows/vuln-scan.yml	Replaced Trivy action reference from a specific commit hash to tag 0.34.2; no other step parameters or control flow changed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• chores: Add Trivy Scanner GH Workflow #260 — updates the Trivy action reference in .github/workflows/vuln-scan.yml (commit hash → 0.34.2 tag).

Suggested reviewers

• kpowderly
• ktstrader

Poem

🐇 I hopped through YAML, neat and spry,
Swapped triggers quick beneath the sky,
A tag for Trivy, tidy and bright,
Cla checks now wake with proper light,
Hooray — the workflows hum tonight! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description is incomplete. The 'How Has This Been Tested?' section is blank with only template comments, and the checklist indicates no testing or documentation updates were performed.	Complete the 'How Has This Been Tested?' section with details on testing methodology and environment, or clarify why testing was not applicable for this change.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: removing pull_request_target from the CLA workflow and references the issue BED-7555.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch BED-7555

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/cla.yml (1)

5-33: ⚠️ Potential issue | 🟠 Major

Guard secret-dependent steps for fork PRs.

The workflow triggers on both issue_comment (Line 3) and pull_request (Line 5). On fork-origin PRs, repository secrets are unavailable (GitHub intentionally does not provide them).

The "Organization Members" step (Lines 12–33) has no guard and runs unconditionally—it will attempt to use secrets.READ_MEMBERS_SCOPE on fork PRs where that secret is empty, causing the API call to fail with an authorization error. The "CLA Assistant" step's condition (Line 36) explicitly allows pull_request events without checking the fork attribute, so it will also attempt to use secrets.REPO_SCOPE on fork PRs with the same failure mode.

Suggested fix

      - name: "Organization Members"
+       if: github.event_name == 'issue_comment' || github.event.pull_request.head.repo.fork == false
        id: org-members
        run: |
          ALL_MEMBERS=""
          URL="${{ github.api_url }}/orgs/${{ github.repository_owner }}/members?per_page=100"
          ...

      - name: "CLA Assistant"
-       if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request'
+       if: >
+         (github.event_name == 'issue_comment' &&
+          (github.event.comment.body == 'recheck' ||
+           github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA')) ||
+         (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false)
         uses: contributor-assistant/github-action@v2.2.1

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/cla.yml around lines 5 - 33, The "Organization Members"
step in job CLAssistant (step name "Organization Members") and any steps that
use secrets (e.g., the CLA Assistant step referencing secrets.REPO_SCOPE) must
be guarded so they do not run for forked PRs where repository secrets are
unavailable; update those steps to include a conditional that only runs when the
event is not a fork (for pull_request events check
github.event.pull_request.head.repo.fork == false) or when the secret is
present, thereby preventing the curl call that uses secrets.READ_MEMBERS_SCOPE
from executing on forked PRs and avoiding authorization failures.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/cla.yml:
- Around line 5-33: The "Organization Members" step in job CLAssistant (step
name "Organization Members") and any steps that use secrets (e.g., the CLA
Assistant step referencing secrets.REPO_SCOPE) must be guarded so they do not
run for forked PRs where repository secrets are unavailable; update those steps
to include a conditional that only runs when the event is not a fork (for
pull_request events check github.event.pull_request.head.repo.fork == false) or
when the secret is present, thereby preventing the curl call that uses
secrets.READ_MEMBERS_SCOPE from executing on forked PRs and avoiding
authorization failures.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 52b978a and c0d9ac9.

📒 Files selected for processing (1)

• .github/workflows/cla.yml