Skip to content

Auto-close duplicate effort PRs #5866

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
sentrivana wants to merge 1 commit into from

Auto-close duplicate effort PRs

3427348
Select commit
Loading
Failed to load commit list.
Closed

Auto-close duplicate effort PRs #5866

Auto-close duplicate effort PRs
3427348
Select commit
Loading
Failed to load commit list.
@sentry/warden / warden: code-review completed Mar 25, 2026 in 36s

1 issue

code-review: Found 1 issue (1 medium)

Medium

Missing explicit permissions on pull_request_target workflow - `.github/workflows/close-duplicate-effort-prs.yml:4-10`

The workflow uses pull_request_target trigger but doesn't specify explicit permissions. With pull_request_target, the workflow runs with the permissions of the base repository, not the fork. Without explicit permission restrictions, this workflow may have broader access than needed (e.g., contents: write, packages: write, etc.). While this specific workflow only needs pull-requests: write and issues: read, it may inherit broader default permissions.

Duration: 33.3s · Tokens: 56.7k in / 1.1k out · Cost: $0.12 (+fix_gate: $0.00)

Annotations

Check warning on line 10 in .github/workflows/close-duplicate-effort-prs.yml

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: code-review

Missing explicit permissions on pull_request_target workflow 

The workflow uses `pull_request_target` trigger but doesn't specify explicit `permissions`. With `pull_request_target`, the workflow runs with the permissions of the base repository, not the fork. Without explicit permission restrictions, this workflow may have broader access than needed (e.g., contents: write, packages: write, etc.). While this specific workflow only needs `pull-requests: write` and `issues: read`, it may inherit broader default permissions.
View more details on @sentry/warden