You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In PR #55 we introduced `.github/workflows/pr-title.yml` and `.github/workflows/label.yml` using the `pull_request` trigger, because `pull_request_target` requires the workflow file to already exist on the default branch (GitHub's security rule for base-repo permissions on PR payloads). Using `pull_request_target` on a PR that was adding those files caused the `Validate` check to never report, stalling the required-status-check merge gate. See the trigger-revert commit and its message on #55 for the full write-up.
Why we want `pull_request_target`
pr-title.yml: `pull_request_target` carries base-repo permissions, so fork PRs can post / update the sticky comment explaining the Conventional Commits format. Under `pull_request` the `GITHUB_TOKEN` is read-only on fork PRs, so fork contributors see the failing `Validate` check but don't get the helpful comment. Once feat: add AI automation stack and OSS governance for open-source launch #55 lands, the workflow file is on main, so `pull_request_target` becomes safe and useful.
label.yml: same story — labels apply via `actions/labeler` on `pull_request` for internal PRs but silently no-op on fork PRs. Moving to `pull_request_target` post-merge lets forks get auto-labeled too.
Scope
Two-line change, one commit:
`.github/workflows/pr-title.yml`: `on.pull_request` → `on.pull_request_target` (keep same `types`)
`.github/workflows/label.yml`: same swap
Open a PR, let it pass the now-enforced `Validate` check (no change to title behavior for maintainer PRs, so should pass), squash-merge.
Safety note
Both workflows were deliberately written to only read `github.event.pull_request.*` from the webhook payload and never check out PR code — the standard `pull_request_target` safety criterion. No additional review needed beyond confirming neither file gains an `actions/checkout` step before the switch.
Acceptance
Fork PR opened against the repo gets the `Validate` check reporting + (on fail) a sticky comment with the format.
Fork PR gets auto-labeled by `actions/labeler` per `.github/labeler.yml`.
Context
In PR #55 we introduced `.github/workflows/pr-title.yml` and `.github/workflows/label.yml` using the `pull_request` trigger, because `pull_request_target` requires the workflow file to already exist on the default branch (GitHub's security rule for base-repo permissions on PR payloads). Using `pull_request_target` on a PR that was adding those files caused the `Validate` check to never report, stalling the required-status-check merge gate. See the trigger-revert commit and its message on #55 for the full write-up.
Why we want `pull_request_target`
Scope
Two-line change, one commit:
Open a PR, let it pass the now-enforced `Validate` check (no change to title behavior for maintainer PRs, so should pass), squash-merge.
Safety note
Both workflows were deliberately written to only read `github.event.pull_request.*` from the webhook payload and never check out PR code — the standard `pull_request_target` safety criterion. No additional review needed beyond confirming neither file gains an `actions/checkout` step before the switch.
Acceptance
References