From faafedb119d7723ca794836dbf067aca5e3a23d6 Mon Sep 17 00:00:00 2001 From: jovnc <95868357+jovnc@users.noreply.github.com> Date: Thu, 8 Jan 2026 23:12:23 +0800 Subject: [PATCH 1/3] [ci] Add fix for contribution message not working for PRs from fork --- .github/workflows/contribution-message.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/contribution-message.yml b/.github/workflows/contribution-message.yml index d1b70728..597e8b94 100644 --- a/.github/workflows/contribution-message.yml +++ b/.github/workflows/contribution-message.yml @@ -1,18 +1,18 @@ name: Post contribution message in pull request on: - pull_request: + pull_request_target: types: [opened, reopened] permissions: - contents: write + # Only scope GITHUB_TOKEN to write for pull requests, others set to none (by default) for security reasons since we are using pull_request_target trigger pull-requests: write jobs: post_contribution_message: runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@v6 + - name: Checkout repository # Checks out to base repository by default + uses: actions/checkout@v6 # DO NOT CHECKOUT TO HEAD UNSAFE (will checkout to head of the fork) - name: Setup Python uses: actions/setup-python@v5 From 2ae7d353d2553318d57f48170bdd5eedc0fe77ab Mon Sep 17 00:00:00 2001 From: jovnc <95868357+jovnc@users.noreply.github.com> Date: Thu, 8 Jan 2026 23:30:21 +0800 Subject: [PATCH 2/3] [ci] Add more comments --- .github/workflows/contribution-message.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/contribution-message.yml b/.github/workflows/contribution-message.yml index 597e8b94..43212e9b 100644 --- a/.github/workflows/contribution-message.yml +++ b/.github/workflows/contribution-message.yml @@ -11,7 +11,7 @@ jobs: post_contribution_message: runs-on: ubuntu-latest steps: - - name: Checkout repository # Checks out to base repository by default + - name: Checkout repository # Checks out to base repository default branch (for pull_request_target trigger) uses: actions/checkout@v6 # DO NOT CHECKOUT TO HEAD UNSAFE (will checkout to head of the fork) - name: Setup Python From 778f949ee2905674ecf155187253b585009e8a36 Mon Sep 17 00:00:00 2001 From: jovnc <95868357+jovnc@users.noreply.github.com> Date: Fri, 9 Jan 2026 21:54:33 +0800 Subject: [PATCH 3/3] [ci] Address comments --- .github/workflows/contribution-message.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/contribution-message.yml b/.github/workflows/contribution-message.yml index 43212e9b..35ef6137 100644 --- a/.github/workflows/contribution-message.yml +++ b/.github/workflows/contribution-message.yml @@ -11,8 +11,9 @@ jobs: post_contribution_message: runs-on: ubuntu-latest steps: - - name: Checkout repository # Checks out to base repository default branch (for pull_request_target trigger) - uses: actions/checkout@v6 # DO NOT CHECKOUT TO HEAD UNSAFE (will checkout to head of the fork) + # DO NOT CHECKOUT TO HEAD UNSAFE (will checkout to head of the fork for pull_request_target trigger) + - name: Checkout repository + uses: actions/checkout@v6 - name: Setup Python uses: actions/setup-python@v5