From 7f7b85076863c796e8d9354cdd88b4115cfb32a1 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Mon, 9 Feb 2026 18:26:57 +0000 Subject: [PATCH] fix: replace pull_request_target with pull_request to prevent secret exposure Change the workflow trigger from pull_request_target to pull_request to prevent fork PRs from executing attacker-controlled code with base repository privileges and access to secrets. - Remove unsafe checkout of fork code (repository/ref parameters) - Update annotation job condition to match new event name - Keep ref parameter in prettier job for same-repo PRs only Co-Authored-By: Kane Parkinson --- .github/workflows/style-check.yml | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/.github/workflows/style-check.yml b/.github/workflows/style-check.yml index 4dfb4340..00c89eca 100644 --- a/.github/workflows/style-check.yml +++ b/.github/workflows/style-check.yml @@ -1,6 +1,6 @@ name: Code Style Check -on: [push, pull_request_target] +on: [push, pull_request] jobs: eslint_check_upload: @@ -11,9 +11,6 @@ jobs: steps: - uses: actions/checkout@v4 - with: - repository: ${{ github.event.pull_request.head.repo.full_name }} - ref: ${{ github.head_ref }} - name: Setup Node uses: actions/setup-node@v3 with: @@ -37,7 +34,7 @@ jobs: annotation: # Skip the annotation action in push events - if: github.event_name == 'pull_request_target' + if: github.event_name == 'pull_request' permissions: checks: write needs: eslint_check_upload @@ -62,9 +59,6 @@ jobs: name: Format Check steps: - uses: actions/checkout@v3 - with: - repository: ${{ github.event.pull_request.head.repo.full_name }} - ref: ${{ github.head_ref }} - name: Setup Node uses: actions/setup-node@v3 with: @@ -85,7 +79,6 @@ jobs: steps: - uses: actions/checkout@v3 with: - repository: ${{ github.event.pull_request.head.repo.full_name }} ref: ${{ github.head_ref }} - name: Setup Node uses: actions/setup-node@v3