Skip to content

chore: Use pull_request_target for changelog preview #2483

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
BYK merged 1 commit into from
Jan 16, 2026
Merged

chore: Use pull_request_target for changelog preview #2483

BYK merged 1 commit into from
Jan 16, 2026

Conversation

@BYK
Copy link
Member

@BYK BYK commented Jan 16, 2026

Summary

Updates the changelog-preview workflow to use pull_request_target instead of pull_request.

Why?

This change is required for the changelog preview to work correctly with PRs from forks. With pull_request, the workflow runs with a read-only GITHUB_TOKEN which cannot post comments or create statuses on fork PRs.

This aligns with the recommended usage in the craft changelog-preview workflow.

Security Note

This change is safe because the changelog-preview workflow:

  • Downloads the Craft binary from releases (not from the PR)
  • Only reads git metadata and configuration
  • Does not execute any code from the PR

@BYK BYK requested a review from bitsandfoxes as a code owner January 16, 2026 12:55
@BYK BYK enabled auto-merge (squash) January 16, 2026 12:57
cursor[bot]
cursor bot reviewed Jan 16, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.

.github/workflows/changelog-preview.yml
name: Changelog Preview
on:
pull_request:
pull_request_target:
Copy link

@cursor cursor bot Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Privileged workflow trigger with inherited secrets needs verification

Medium Severity

The change to pull_request_target combined with secrets: inherit and write permissions (contents: write, pull-requests: write) creates a privileged execution context for fork PRs. This is a known security-sensitive pattern ("pwn request"). The safety depends entirely on the external workflow at getsentry/craft/.github/workflows/changelog-preview.yml@v2 not executing PR-controlled code or processing untrusted inputs unsafely. The PR's security claims about that workflow cannot be verified from this diff alone and warrant independent confirmation.

Additional Locations (1)

Fix in Cursor Fix in Web

@BYK BYK merged commit 276d3e2 into main Jan 16, 2026
57 checks passed
@BYK BYK deleted the chore/changelog-preview-target branch January 16, 2026 14:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@bitsandfoxes bitsandfoxes bitsandfoxes approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@BYK @bitsandfoxes