Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion .github/workflows/auto-author-assign.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,11 @@
---
name: "Auto Author Assign"
# Uses pull_request_target so the assign step gets a read-write token on fork
# PRs (pull_request hands forks a read-only token, which makes the assignees
# API call fail). Safe here: the workflow never checks out or executes PR-head
# code, it only assigns the author via the API from the event payload.
on:
pull_request:
pull_request_target:
types: [opened, reopened, synchronize]
permissions:
contents: read
Expand Down
8 changes: 7 additions & 1 deletion .github/workflows/mark-ready-when-ready.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,13 @@
name: Mark PR Ready When Ready

# Uses pull_request_target so the mark-ready step gets a read-write token on
# fork PRs (pull_request hands forks a read-only token, so contents: write is
# denied and the job fails). Safe here: the workflow never checks out or
# executes PR-head code. The action reads the PR number, draft flag, labels,
# and head SHA from the event payload and acts only via the API, so running in
# the base-repo context does not evaluate any untrusted code.
on:
pull_request:
pull_request_target:
types: [opened, edited, labeled, unlabeled, synchronize]

permissions:
Expand Down