fix: use pull_request_target trigger for external plugin PR quality gates (#2043)

mirror of https://github.com/github/awesome-copilot.git synced 2026-06-18 21:51:27 +00:00

The workflow was using the pull_request trigger which restricts
GITHUB_TOKEN to read-only for fork PRs, causing the sync-pr-state
job to fail with 403 when trying to add labels.

Switching to pull_request_target runs the workflow in the base
repo context so declared permissions (issues: write, pull-requests:
write) are honoured for cross-repository PRs.

The workflow is safe to use pull_request_target because:
- detect-changed-plugins reads files via the GitHub API only (no checkout)
- run-quality-gates checks out the trusted staged branch, not the PR head
- sync-pr-state also checks out the staged branch

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

This commit is contained in:

Aaron Powell

2026-06-18 10:57:33 +10:00

committed by

GitHub

parent beef5a5fe0

commit 18654630ab

1 changed files with 1 additions and 1 deletions

									
										.github/workflows/external-plugin-pr-quality-gates.yml
									
		+1
		-1
	
												View File
												
					@@ -1,7 +1,7 @@

					name: External Plugin PR Quality Gates

					name: External Plugin PR Quality Gates

					on:

					on:

					  pull_request:

					  pull_request_target:

					    branches: [staged]

					    branches: [staged]

					    paths:

					    paths:

					      - "plugins/external.json"

					      - "plugins/external.json"