ci: automatically publish suppressions after merged PRs (#8527)

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

Author: chadlwilson

.github/workflows/lint-pr.yml

@@ -2,6 +2,10 @@ name: "Lint PR"
 
 on:
   pull_request_target:
+    # BE CAREFUL - this event runs in the context of the default branch (`main`) workflow definition in the target
+    #    repository (NOT the fork's context), so it has potentially sensitive access.
+    #    It is critical that this only runs on very limited events and/or access to the repo
+    # Read https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target
     types:
       - opened
       - edited

.github/workflows/publish-suppressions.yml

@@ -2,13 +2,21 @@ name: Publish Suppressions
 
 on:
   workflow_dispatch:
-  push:
-    branches:
-      - generatedSuppressions
+  pull_request_target:
+    # BE CAREFUL - this event runs in the context of the default branch (`main`) workflow definition in the target
+    #    repository (NOT the fork's context), so it has potentially sensitive access.
+    #    It is critical that this only runs on very limited events and/or access to the repo
+    # Read https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target
+    types: [ closed ]
+    branches: [ generatedSuppressions ]
+    paths: [ generatedSuppressions.xml ]
+
 
 permissions: {}
 jobs:
   update_suppression:
+    if: github.event_name == 'workflow_dispatch' || github.event.pull_request.merged == true
+
     permissions:
       contents: write # to push changes in repo (jamesives/github-pages-deploy-action)