From 18654630ab194f028ab99e1079fbe8dc4309666b Mon Sep 17 00:00:00 2001 From: Aaron Powell Date: Thu, 18 Jun 2026 10:57:33 +1000 Subject: [PATCH] fix: use pull_request_target trigger for external plugin PR quality gates (#2043) The workflow was using the pull_request trigger which restricts GITHUB_TOKEN to read-only for fork PRs, causing the sync-pr-state job to fail with 403 when trying to add labels. Switching to pull_request_target runs the workflow in the base repo context so declared permissions (issues: write, pull-requests: write) are honoured for cross-repository PRs. The workflow is safe to use pull_request_target because: - detect-changed-plugins reads files via the GitHub API only (no checkout) - run-quality-gates checks out the trusted staged branch, not the PR head - sync-pr-state also checks out the staged branch Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/external-plugin-pr-quality-gates.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/external-plugin-pr-quality-gates.yml b/.github/workflows/external-plugin-pr-quality-gates.yml index 8a7d3ac4..f59e5190 100644 --- a/.github/workflows/external-plugin-pr-quality-gates.yml +++ b/.github/workflows/external-plugin-pr-quality-gates.yml @@ -1,7 +1,7 @@ name: External Plugin PR Quality Gates on: - pull_request: + pull_request_target: branches: [staged] paths: - "plugins/external.json"