Skip to content

[Tech Debt] Fix GitHub Actions security by replacing the pull_request_target trigger in workflows #563

New issue
New issue
Open
Open
[Tech Debt] Fix GitHub Actions security by replacing the pull_request_target trigger in workflows#563
Assignees
GreatEugenius
Labels
priority/majorDefault priority of the PR or issue.tech debt[Issue Type] User-unaware issues, such as code refactor and infrastructure maintenance.
@GreatEugenius

Description

@GreatEugenius
GreatEugenius
opened on Mar 10, 2026

Search before asking

  • I searched in the issues and found nothing similar.

Description

The following workflows use pull_request_target as a trigger:

  • Documentation Bot (.github/workflows/document_bot.yml)
  • Pull Request Labeler (.github/workflows/labeler.yml)

Using pull_request_target is considered a security risk because it runs workflows with write permissions in the context of the base repository, even when triggered by a fork. This can expose repository secrets and allow malicious code from a forked PR to execute with elevated privileges.

Are you willing to submit a PR?

  • I'm willing to submit a PR!

Metadata

Metadata

Assignees

Labels

priority/majorDefault priority of the PR or issue.tech debt[Issue Type] User-unaware issues, such as code refactor and infrastructure maintenance.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions