mirror of
https://github.com/clockworklabs/SpacetimeDB.git
synced 2026-03-20 09:01:05 +08:00
3c60481d82
The PR approval check workflow uses `pull_request`, which does not grant the `GITHUB_TOKEN` write permissions for commit statuses on fork PRs. This causes the check to silently fail on external contributions. Switches to `pull_request_target`, which runs in the context of the base branch and has the necessary permissions. **Security notes** (also documented as comments in the workflow file): - `pull_request_target` grants write access to the repository. This is safe here because the workflow **only reads PR metadata via the GitHub API** and never checks out, builds, or executes code from the PR branch. - A clear `SECURITY` comment block at the top of the file explains why `pull_request_target` is used and warns against adding a checkout step. - An additional inline comment on the job warns against adding checkout steps. Co-authored-by: clockwork-labs-bot <clockwork-labs-bot@users.noreply.github.com>