Skip to content

ci: remove pull_request_target workflow#436

Merged
jdx merged 1 commit into
mainfrom
claude/remove-pull-request-target
May 12, 2026
Merged

ci: remove pull_request_target workflow#436
jdx merged 1 commit into
mainfrom
claude/remove-pull-request-target

Conversation

@jdx
Copy link
Copy Markdown
Owner

@jdx jdx commented May 12, 2026
edited by cursor Bot
Loading

Summary

  • Deletes the only workflow in this repo triggered by pull_request_target.
  • pull_request_target runs in the context of the base repo (with secrets / write tokens) on PRs from forks, which is risky. The workflow only validated PR titles; not worth the trust footprint.

Test plan

  • None — workflow file removal only.

Note

Low Risk
Low risk: this only deletes a CI workflow, with the main impact being loss of automated PR title linting.

Overview
Removes the semantic-pr.yml GitHub Actions workflow that validated PR titles via amannn/action-semantic-pull-request and was triggered on pull_request_target events.

Reviewed by Cursor Bugbot for commit 35d8a7e. Bugbot is set up for automated code reviews on this repo. Configure here.

@jdx @claude
ci: remove pull_request_target workflow
35d8a7e 
Removes the semantic PR title lint workflow that ran on pull_request_target.
This trigger grants secrets/write tokens to workflows triggered from forks,
which is risky. Drop the workflow rather than rewire it.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@gemini-code-assist
Copy link
Copy Markdown

gemini-code-assist Bot commented May 12, 2026

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@greptile-apps
Copy link
Copy Markdown

greptile-apps Bot commented May 12, 2026

Greptile Summary

This PR removes the sole pull_request_target-triggered workflow, which was responsible for linting PR titles against conventional-commit rules. The author's rationale is sound: pull_request_target executes in the base-repo context and has access to repository secrets, making it a higher-risk trigger for a low-value lint check.

  • Deletes .github/workflows/semantic-pr.yml, which used amannn/action-semantic-pull-request to enforce semantic PR titles — the only effect is that PR title linting will no longer run.
  • The removed workflow did have permissions: pull-requests: read and was pinned to a commit SHA, so the actual attack surface was small, but removing it entirely eliminates the risk class.

Confidence Score: 5/5

Safe to merge — this is a pure file deletion with no logic changes and a clear security motivation.

The change deletes a single workflow file with no downstream dependencies. Removing the pull_request_target trigger tightens the repo's CI security posture without breaking any builds or tests.

No files require special attention.

Important Files Changed

Filename Overview
.github/workflows/semantic-pr.yml Deleted the pull_request_target workflow that validated PR titles via amannn/action-semantic-pull-request; removes a security-sensitive trigger that ran in the base-repo context with write tokens on fork PRs.

Reviews (1): Last reviewed commit: "ci: remove pull_request_target workflow" | Re-trigger Greptile

@jdx jdx merged commit 7e052f4 into main May 12, 2026
7 checks passed
@jdx jdx deleted the claude/remove-pull-request-target branch May 12, 2026 13:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jdx