From 1ba352a3239ad4f4fc6b784ecc51cb2414b8be93 Mon Sep 17 00:00:00 2001
From: geoffg-sentry <165922362+geoffg-sentry@users.noreply.github.com>
Date: Tue, 21 Apr 2026 12:22:11 -0400
Subject: [PATCH] Move workflow to pull_request and do not persist creds'

---
 .github/workflows/changelog-preview.yml | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml
index 99f721a9..0d83f0ee 100644
--- a/.github/workflows/changelog-preview.yml
+++ b/.github/workflows/changelog-preview.yml
@@ -70,17 +70,16 @@ on:
         default: true
 
   # Also run on PRs in this repository (dogfooding)
-  pull_request_target:
+  pull_request:
     types: [opened, synchronize, reopened, edited, labeled, unlabeled]
 
-permissions:
-  contents: read
-  pull-requests: write # For comment mode
-  statuses: write # For status check mode
-
 jobs:
   preview:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write # For comment mode
+      statuses: write # For status check mode
     steps:
       # For pull_request_target, we must explicitly specify the ref to get the PR commits.
       # Try the merge ref first; fall back to head ref if PR has merge conflicts.
@@ -90,12 +89,14 @@ jobs:
         with:
           fetch-depth: 0
           ref: refs/pull/${{ github.event.pull_request.number }}/merge
+          persist-credentials: false
 
       - uses: actions/checkout@v6
         if: steps.checkout-merge.outcome == 'failure'
         with:
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Install Craft
         shell: bash