From d4b662ce258715dd509e70011e5bac242e72ffcc Mon Sep 17 00:00:00 2001 From: Ryan Mulligan Date: Tue, 12 May 2026 05:51:13 -0700 Subject: [PATCH] ci: remove pull_request_target trigger from release-drafter Eliminates exposure of the supply-chain-attack pattern demonstrated by the TanStack NPM compromise. The release-drafter workflow never checks out PR head code, so the current usage isn't immediately exploitable, but we're removing pull_request_target from all Replit-owned public repos as a precaution. Side-effect: autolabeler will no longer run on PRs from forks. Release notes are still drafted on pushes/merges to main, so the only impact is that fork PRs won't get autolabeled until merged. --- .github/workflows/release-drafter.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 017ce454..86193991 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -10,9 +10,6 @@ on: pull_request: # Only following types are handled by the action, but one can default to all as well types: [opened, reopened, synchronize] - # pull_request_target event is required for autolabeler to support PRs from forks - pull_request_target: - types: [opened, reopened, synchronize] permissions: contents: read