Revert pr.yaml trigger to pull_request (unblock CI)#80
Conversation
pull_request_target never fires on this repo — GitHub receives the PR events but the workflow never runs, blocking required checks on every open PR including Dependabot updates (#77, #78, #79). Revert to pull_request trigger which works reliably. Also remove the ref/persist-credentials checkout overrides that were only needed for pull_request_target (pull_request automatically checks out PR code). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR updates the repository’s PR validation workflow to run on pull_request instead of pull_request_target, aiming to restore required CI checks that are currently not firing.
Changes:
- Revert workflow trigger from
pull_request_targettopull_requestfor PRs targetingmain. - Remove
actions/checkoutoverrides that were specific topull_request_target(PR ref checkout andpersist-credentials: false).
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: refs/pull/${{ github.event.pull_request.number }}/head | ||
| persist-credentials: false | ||
| fetch-depth: 0 |
There was a problem hiding this comment.
Removing the explicit ref: refs/pull/.../head changes actions/checkout to the default PR ref (typically the merge commit). If the intent is to keep validating the PR head commit (as before), set the checkout ref explicitly (e.g., to the PR head SHA). Also, removing persist-credentials: false causes the GITHUB_TOKEN credential to be written into the local git config by default; if you want to minimize token exposure to subsequent steps, consider restoring persist-credentials: false and updating any later git fetch operations to authenticate explicitly when needed.
| on: | ||
| pull_request_target: # Runs from the main branch, not from PR branch | ||
| pull_request: | ||
| branches: | ||
| - main |
There was a problem hiding this comment.
Switching the trigger to pull_request means the workflow definition is now sourced from the PR branch itself, so an untrusted PR can potentially modify this workflow to skip checks while still producing green check runs. If this repository needs to be hardened for external contributors, consider mitigating by running the validation workflow from the default branch (e.g., pull_request_target with tightly-scoped permissions and no secrets, or a reusable workflow invoked from a trusted workflow on main), and/or adding repo/ruleset protections for changes under .github/workflows/.
The "Detect protected configuration file changes" step still fails PRs that modify .editorconfig, Directory.Build.*, etc. The security note was removed in the trigger revert but the behavior remains. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Closing — found the actual bug: missing |
Why
pull_request_targeton main never fires — GitHub receives the PR events but the workflow never runs. This blocks required checks on every open PR, including Dependabot updates (#77, #78, #79) which can never merge.What
pull_request_target→pull_requestref: refs/pull/*/headandpersist-credentials: falsecheckout overrides (only needed forpull_request_target)fetch-depth: 0on the gitleaks checkoutMerging
This PR itself is subject to the broken required checks. To merge:
Once merged, all existing open PRs should have their checks start running on the next push/rebase.
🤖 Generated with Claude Code