From e1c743be3a0177f24a82d556360a08cc7d7448f0 Mon Sep 17 00:00:00 2001
From: Chris Wolfgang <210299580+Chris-Wolfgang@users.noreply.github.com>
Date: Sat, 18 Apr 2026 21:00:38 -0400
Subject: [PATCH 1/2] Revert pr.yaml trigger from pull_request_target to
 pull_request
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

pull_request_target never fires on this repo — GitHub receives the PR
events but the workflow never runs, blocking required checks on every
open PR including Dependabot updates (#77, #78, #79).

Revert to pull_request trigger which works reliably. Also remove the
ref/persist-credentials checkout overrides that were only needed for
pull_request_target (pull_request automatically checks out PR code).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/pr.yaml | 29 ++++-------------------------
 1 file changed, 4 insertions(+), 25 deletions(-)

diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
index 5213a58..acc5c2b 100644
--- a/.github/workflows/pr.yaml
+++ b/.github/workflows/pr.yaml
@@ -4,15 +4,11 @@
 # Stage 3: macOS tests (only if Stage 2 passes)
 #
 # SECURITY NOTE:
-# - Uses pull_request_target to run workflow from the trusted main branch, not from the PR branch
-# - This prevents malicious workflow YAML changes in untrusted PR branches from taking effect
-# - All checkout steps use PR refs (refs/pull/*/head) to check out PR code from the base repo
+# - Uses pull_request (not pull_request_target) to avoid the "pwn request" attack vector
+#   (pull_request_target runs from the trusted main branch with elevated permissions, and checking
+#    out untrusted PR code in that context can allow attackers to exfiltrate secrets or abuse write access)
 # - After checkout, configuration files (.editorconfig, BannedSymbols.txt, etc.) are fetched from
 #   the main branch to prevent malicious PRs from disabling analyzers or bypassing code quality checks
-# - If a PR changes any of these protected configuration files, CI explicitly fails with instructions
-#   for a maintainer to manually review and verify the changes before merging
-# - persist-credentials: false prevents the checkout token from being written to git config for subsequent git commands
-#   (it does NOT, by itself, prevent steps from accessing github.token / GITHUB_TOKEN if you explicitly expose it)
 # - Default GITHUB_TOKEN permissions are restricted to read-only repository contents to limit impact if exposed
 
 name: PR Checks v3 (Gated)
@@ -24,7 +20,7 @@ env:
   CODECOV_MINIMUM: 90
 
 on:
-  pull_request_target:  # Runs from the main branch, not from PR branch
+  pull_request:
     branches:
       - main
 
@@ -44,8 +40,6 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
         with:
-          ref: refs/pull/${{ github.event.pull_request.number }}/head
-          persist-credentials: false
           fetch-depth: 0
 
       - name: Run gitleaks
@@ -70,9 +64,6 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-        with:
-          ref: refs/pull/${{ github.event.pull_request.number }}/head
-          persist-credentials: false
       
       - name: Fetch trusted configuration files from main branch
         run: |
@@ -194,9 +185,6 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-        with:
-          ref: refs/pull/${{ github.event.pull_request.number }}/head
-          persist-credentials: false
       
       - name: Fetch trusted configuration files from main branch
         run: |
@@ -496,9 +484,6 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-        with:
-          ref: refs/pull/${{ github.event.pull_request.number }}/head
-          persist-credentials: false
       
       - name: Fetch trusted configuration files from main branch
         shell: pwsh
@@ -735,9 +720,6 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-        with:
-          ref: refs/pull/${{ github.event.pull_request.number }}/head
-          persist-credentials: false
       
       - name: Fetch trusted configuration files from main branch
         run: |
@@ -1044,9 +1026,6 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-        with:
-          ref: refs/pull/${{ github.event.pull_request.number }}/head
-          persist-credentials: false
       
       - name: Fetch trusted configuration files from main branch
         run: |

From e50f176054ca10def8204d8172e2f85be8822e57 Mon Sep 17 00:00:00 2001
From: Chris Wolfgang <210299580+Chris-Wolfgang@users.noreply.github.com>
Date: Sun, 19 Apr 2026 19:22:43 -0400
Subject: [PATCH 2/2] Restore security note about protected config file
 behavior

The "Detect protected configuration file changes" step still fails
PRs that modify .editorconfig, Directory.Build.*, etc. The security
note was removed in the trigger revert but the behavior remains.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/pr.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
index acc5c2b..c4a5c19 100644
--- a/.github/workflows/pr.yaml
+++ b/.github/workflows/pr.yaml
@@ -9,6 +9,8 @@
 #    out untrusted PR code in that context can allow attackers to exfiltrate secrets or abuse write access)
 # - After checkout, configuration files (.editorconfig, BannedSymbols.txt, etc.) are fetched from
 #   the main branch to prevent malicious PRs from disabling analyzers or bypassing code quality checks
+# - PRs that change protected configuration files (for example .editorconfig or Directory.Build.*)
+#   intentionally fail validation; those config changes are not evaluated by CI in the untrusted PR context
 # - Default GITHUB_TOKEN permissions are restricted to read-only repository contents to limit impact if exposed
 
 name: PR Checks v3 (Gated)