fix: workflows

[robertherber]

No description provided.

[changeset-bot]

⚠️ No Changeset found

Latest commit: bf7cf1f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/kingstinct/react-native-healthkit/@kingstinct/react-native-healthkit@338

commit: bf7cf1f

[Copilot]

Pull request overview

Updates GitHub Actions workflows to adjust which PR events they run on and which refs they check out, aiming to fix CI/preview behavior for pull requests.

Changes:

• Switch Test workflow trigger from pull_request_target to pull_request.
• Configure Package Preview workflow to check out refs/pull/<number>/merge instead of the base branch when using pull_request_target.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
.github/workflows/test.yml	Changes PR trigger type for the main CI workflow.
.github/workflows/package-preview.yml	Checks out the PR merge ref for preview package publishing.

[Copilot]

runs-on is computed from the inputs context in this workflow, but inputs is only populated for workflow_call / workflow_dispatch. Now that this workflow runs on pull_request (and push), referencing inputs.os can cause expression evaluation to fail on those events. Consider removing the inputs.* usage for PR/push runs (e.g., hardcode runners or use github.event.inputs only for workflow_dispatch / split the reusable workflow from the PR/push workflow).

[Copilot]

This workflow is triggered by pull_request_target but explicitly checks out the PR merge ref and then runs bun install / repo code (codegen, pkg-pr-new). With pull_request_target, the job runs in the base-repo security context (and typically has broader GITHUB_TOKEN permissions), so a malicious PR can execute arbitrary code and exfiltrate credentials. Mitigate by switching to pull_request, or restricting to same-repo PRs (if: github.event.pull_request.head.repo.full_name == github.repository), and explicitly minimizing permissions + disabling install scripts (bun install --ignore-scripts --frozen-lockfile) if you must keep pull_request_target.