Clarify CLA retry checkout safety comment

clockwork-labs-bot · clockwork-labs-bot · commit 1ec4a2dacb4c · 2026-06-04T15:56:18.000-04:00
diff --git a/.github/workflows/retry-cla-assistant.yml b/.github/workflows/retry-cla-assistant.yml
@@ -6,7 +6,8 @@ name: Retry CLA Assistant
 # Assistant only when that status is the sole remaining non-green signal.
 #
 # SECURITY: This workflow uses pull_request_target so it can inspect PR status
-# for forks, but it must never check out, build, or execute code from the PR.
+# for forks. It checks out trusted default-branch code only; it must never check
+# out, build, or execute code from the PR head.
 
 on:
   pull_request_target:

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,8 @@ name: Retry CLA Assistant`
`6`	`6`	`# Assistant only when that status is the sole remaining non-green signal.`
`7`	`7`	`#`
`8`	`8`	`# SECURITY: This workflow uses pull_request_target so it can inspect PR status`
`9`		`-# for forks, but it must never check out, build, or execute code from the PR.`
	`9`	`+# for forks. It checks out trusted default-branch code only; it must never check`
	`10`	`+# out, build, or execute code from the PR head.`
`10`	`11`
`11`	`12`	`on:`
`12`	`13`	`pull_request_target:`