Skip to content

docs: pull_request_target guidance and base-action trust model#1250

Merged
OctavianGuzu merged 3 commits into
mainfrom
oct/fix-base-action-mcp-default
Apr 28, 2026
Merged

docs: pull_request_target guidance and base-action trust model#1250
OctavianGuzu merged 3 commits into
mainfrom
oct/fix-base-action-mcp-default

docs: add pull_request_target/workflow_run guidance and base-action t…

1201a9b
Select commit
Loading
Failed to load commit list.
Claude / Claude Code Review completed Apr 27, 2026 in 18m 5s

Code review found 1 potential issue

Found 6 candidates, confirmed 1. See review comments for details.

Details

Severity Count
🔴 Important 0
🟡 Nit 1
🟣 Pre-existing 0
Severity File:Line Issue
🟡 Nit docs/security.md:36-48 4ac01f0 doc fixes not present in current diff despite resolved threads

Annotations

Check warning on line 48 in docs/security.md

See this annotation in the file changed.

@claude claude / Claude Code Review

4ac01f0 doc fixes not present in current diff despite resolved threads 

It looks like the 4ac01f0 doc fixes referenced in the two resolved threads above didn't survive the descope to docs-only — the second example (lines 36-46) still lacks the base-ref `actions/checkout@v4` step before the `path: pr-head` checkout (so it hard-fails under `pull_request_target` with `fatal: not a git repository`), and lines 25/31/41/48 still have only the `pull_request.head.sha` ref, the PRT-only `gh pr diff`/`gh pr view` hint, and the "general `pull_request_target` guidance" closer w
View more details on Claude