Thanks to visit codestin.com
Credit goes to github.com

Skip to content

ci: replace pull_request_target with pull_request and pin action SHAs#46

Merged
HugoRCD merged 1 commit into
mainfrom
fix/replace-pull-request-target-with-pull-request
May 12, 2026
Merged

ci: replace pull_request_target with pull_request and pin action SHAs#46
HugoRCD merged 1 commit into
mainfrom
fix/replace-pull-request-target-with-pull-request

Conversation

@HugoRCD
Copy link
Copy Markdown
Member

@HugoRCD HugoRCD commented May 12, 2026

Summary

  • Replaces pull_request_target with pull_request in label-pr.yml and semantic-pull-request.yml — eliminates the elevated-privilege trigger that could be abused if a checkout step were ever added
  • Pins amannn/action-semantic-pull-request to commit SHA 48f256284bd46cdaab1048c3721360e808335d50 (v6) to prevent floating-tag supply chain attacks
  • Pins marocchino/sticky-pull-request-comment to commit SHA 773744901bac0e8cbb5a0dc842800d45e9b2b405 (v2.9.4) for the same reason

Addresses security finding VULN-10700. Labelling and PR title validation are both read-only operations that work identically under pull_request.

Test plan

  • Open a test PR — label-pr workflow runs and applies the correct label
  • Open a test PR with a non-conforming title — semantic-pull-request workflow posts the expected error comment

@HugoRCD
ci: replace pull_request_target with pull_request and pin action SHAs
5ec6b8d 
Replaces pull_request_target with pull_request in label-pr.yml and
semantic-pull-request.yml to eliminate the elevated-privilege trigger.
Also pins amannn/action-semantic-pull-request and
marocchino/sticky-pull-request-comment to immutable commit SHAs to
mitigate supply chain risk (VULN-10700).
@vercel
Copy link
Copy Markdown

vercel Bot commented May 12, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
knowledge-agent-template Ready Ready Preview, Comment May 12, 2026 5:50pm

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026
edited
Loading

Thank you for following the naming conventions! 🙏

@github-actions github-actions Bot added the ci label May 12, 2026
@autofix-troubleshooter
Copy link
Copy Markdown

autofix-troubleshooter commented May 12, 2026

Hi! I'm the autofix logoautofix.ci troubleshooter bot.

It looks like you correctly set up a CI job that uses the autofix.ci GitHub Action, but the autofix.ci GitHub App has not been installed for this repository. This means that autofix.ci unfortunately does not have the permissions to fix this pull request. If you are the repository owner, please install the app and then restart the CI workflow! 😃

@HugoRCD HugoRCD merged commit 1b32f22 into main May 12, 2026
10 of 12 checks passed
@HugoRCD HugoRCD deleted the fix/replace-pull-request-target-with-pull-request branch May 12, 2026 17:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ci

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@HugoRCD @autofix-troubleshooter