Change some workflows using pull_request to use pull_request_target instead (#112161)

carlossanlop · web-flow · commit 4c1ae74d7e31 · 2025-02-04T18:05:19.000-06:00
* Change workflows to use pull_request_target instead of pull_request event
* Add CODEOWNERS entry
* Add initial readme
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -112,3 +112,4 @@
 /docs/area-owners.*                                 @jeffhandley
 /docs/issue*.md                                     @jeffhandley
 /.github/policies/                                  @jeffhandley @mkArtakMSFT
+/.github/workflows/                                 @dotnet/runtime-infrastructure
diff --git a/.github/workflows/README.md b/.github/workflows/README.md
@@ -0,0 +1,6 @@
+# Workflows
+
+General guidance:
+
+- Please make sure to include the @dotnet/runtime-infrastructure group as a reviewer of your PRs.
+- Do not use the `pull_request` event. Use `pull_request_target` instead, as documented in [Workflows in forked repositories](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflows-in-forked-repositories) and [pull_request_target](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target).
diff --git a/.github/workflows/check-no-merge-label.yml b/.github/workflows/check-no-merge-label.yml
@@ -4,8 +4,8 @@ permissions:
   pull-requests: read
 
 on:
-  pull_request:
-    types: [opened, edited, reopened, labeled, unlabeled, synchronize]
+  pull_request_target:
+    types: [labeled, unlabeled]
     branches:
       - 'main'
       - 'release/**'
diff --git a/.github/workflows/check-service-labels.yml b/.github/workflows/check-service-labels.yml
@@ -4,8 +4,8 @@ permissions:
   pull-requests: read
 
 on:
-  pull_request:
-    types: [opened, edited, reopened, labeled, unlabeled, synchronize]
+  pull_request_target:
+    types: [labeled, unlabeled]
     branches:
       - 'release/**'
 
