Update doc

Signed-off-by: Simon Beaudoin <sbeaudoi@qti.qualcomm.com>

Author: simonbeaudoin0935

docs/actions/build_container.md

@@ -102,8 +102,6 @@ This ensures published containers are functional.
   with:
     arch: arm64
     push-to-ghcr: true
-    token: ${{ secrets.DEB_PKG_BOT_CI_TOKEN }}
-    username: ${{ vars.DEB_PKG_BOT_CI_USERNAME }}
 ```
 
 ## Notes

docs/package-repo-integration.md

@@ -111,7 +111,6 @@ If you prefer to set up a repository manually instead of using the template:
    - Require branches to be up to date
 
 3. **Configure organization secrets** (already set at org level):
-   - `DEB_PKG_BOT_CI_TOKEN` - GitHub PAT
    - `SEMGREP_APP_TOKEN` - For security scanning
 
 4. **Configure organization variables** (already set at org level):
@@ -200,11 +199,9 @@ Create the minimal workflow files that call qcom-build-utils reusable workflows.
 
 ```yaml
 name: Pre-Merge
-description: |
-  Tests that with this PR, the package builds successfully.
 
 on:
-  pull_request_target:
+  pull_request:
     branches: [ debian/qcom-next ]
 
 permissions:
@@ -220,9 +217,6 @@ jobs:
       run-abi-checker: true
       push-to-repo: false
       is-post-merge: false
-
-    secrets:
-      TOKEN: ${{secrets.DEB_PKG_BOT_CI_TOKEN}}
 ```
 
 #### .github/workflows/post-merge.yml
@@ -249,9 +243,6 @@ jobs:
       push-to-repo: true
       run-abi-checker: true
       is-post-merge: true
-
-    secrets:
-      TOKEN: ${{secrets.DEB_PKG_BOT_CI_TOKEN}}
 ```
 
 #### Step 4: Initial Commit
@@ -412,8 +403,6 @@ jobs:
       upstream-tag: ${{ github.event.inputs.upstream-tag }}
       upstream-repo: ${{ github.event.inputs.upstream-repo }}
       promote-changelog: true
-    secrets:
-      TOKEN: ${{secrets.DEB_PKG_BOT_CI_TOKEN}}
 ```
 
 #### Triggering Upstream Promotion
@@ -476,7 +465,7 @@ graph TB
 name: Package Build PR Check
 
 on:
-  pull_request_target:
+  pull_request:
     branches: [ main ]
 
 permissions:
@@ -492,8 +481,6 @@ jobs:
       upstream-repo-ref: ${{github.head_ref}}         # PR branch
       pkg-repo: ${{vars.PKG_REPO_GITHUB_NAME}}        # Links to package repo via variable
       pr-number: ${{github.event.pull_request.number}}
-    secrets:
-      TOKEN: ${{secrets.DEB_PKG_BOT_CI_TOKEN}}
 ```
 
 **How the variable works**:

docs/reusable-workflows.md

@@ -54,12 +54,6 @@ flowchart TD
 | `is-post-merge` | boolean | No | `false` | True if triggered by merge to debian/qcom-next |
 | `runner` | string | No | `lecore-prd-u2404-arm64-xlrg-od-ephem` | GitHub runner to use |
 
-### Secrets
-
-| Secret | Description |
-|--------|-------------|
-| `TOKEN` | GitHub PAT token for authentication |
-
 ### Environment Variables
 
 - `REPO_URL`: `https://qualcomm-linux.github.io/pkg-oss-staging-repo/`
@@ -88,8 +82,6 @@ jobs:
       run-abi-checker: true
       push-to-repo: false
       is-post-merge: false
-    secrets:
-      TOKEN: ${{secrets.DEB_PKG_BOT_CI_TOKEN}}
 ```
 
 #### Post-merge Build and Publish
@@ -104,8 +96,6 @@ jobs:
       push-to-repo: true
       run-abi-checker: true
       is-post-merge: true
-    secrets:
-      TOKEN: ${{secrets.DEB_PKG_BOT_CI_TOKEN}}
 ```
 
 ---
@@ -154,14 +144,13 @@ flowchart TD
 
 ### Secrets
 
-| Secret | Description |
-|--------|-------------|
-| `TOKEN` | GitHub PAT token for authentication |
+| Secret | Required | Description |
+|--------|----------|-------------|
+| `PAT` | No | GitHub Personal Access Token for authenticating against **private** upstream repositories. Not required when the upstream repository is public. |
 
 ### Environment Variables
 
 - `NORMALIZED_VERSION`: Version with 'v' prefix removed
-- `DISTRIBUTION`: Target distribution (default: `noble`)
 
 ### Workflow Steps
 
@@ -187,8 +176,6 @@ jobs:
       upstream-tag: v2.1.0
       upstream-repo: qualcomm-linux/my-upstream-project
       promote-changelog: true
-    secrets:
-      TOKEN: ${{secrets.DEB_PKG_BOT_CI_TOKEN}}
 ```
 
 ### Notes
@@ -240,12 +227,6 @@ flowchart TD
 | `distro-codename` | string | No | `noble` | Distribution codename |
 | `runner` | string | No | `ubuntu-latest` | Runner to use |
 
-### Secrets
-
-| Secret | Description |
-|--------|-------------|
-| `TOKEN` | GitHub PAT token for authentication |
-
 ### Environment Variables
 
 - `REPO_URL`: APT repository URL for ABI checking
@@ -273,7 +254,7 @@ Called from upstream repository's workflow (e.g., `.github/workflows/pkg-build-p
 name: Package Build PR Check
 
 on:
-  pull_request_target:
+  pull_request:
     branches: [ main ]
 
 jobs:
@@ -285,8 +266,6 @@ jobs:
       upstream-repo-ref: ${{github.head_ref}}
       pkg-repo: ${{vars.PKG_REPO_GITHUB_NAME}}
       pr-number: ${{github.event.pull_request.number}}
-    secrets:
-      TOKEN: ${{secrets.DEB_PKG_BOT_CI_TOKEN}}
 ```
 
 **Setup Requirements**:
@@ -473,16 +452,13 @@ jobs:
       # Input parameters
       qcom-build-utils-ref: development
       # ... other inputs
-    secrets:
-      TOKEN: ${{secrets.DEB_PKG_BOT_CI_TOKEN}}
 ```
 
 ### Required Organization Secrets
 
 Package repositories need these organization secrets configured:
 
-- `DEB_PKG_BOT_CI_TOKEN` - GitHub PAT for authentication
-- `SEMGREP_APP_TOKEN` - For security scanning
+- `SEMGREP_APP_TOKEN` - For security scanning (used by qcom-preflight-checks)
 
 ### Required Organization Variables
 

docs/workflow-architecture.md

@@ -216,7 +216,7 @@ sequenceDiagram
 **Workflow Configuration** (in pkg-*/. github/workflows/pre-merge.yml):
 ```yaml
 on:
-  pull_request_target:
+  pull_request:
     branches: [ debian/qcom-next ]
 
 jobs:
@@ -373,14 +373,13 @@ flowchart LR
 1. **Centralization**: Workflow logic is centralized in qcom-build-utils to ensure consistency
 2. **Reusability**: Package repositories only need minimal workflow callers
 3. **Flexibility**: Workflows support various configurations through input parameters
-4. **Security**: Uses organization secrets and restricted permissions
+4. **Security**: Uses `GITHUB_TOKEN` (no long-lived PAT secrets needed for standard builds); restricted permissions per workflow
 5. **Isolation**: Each package repository is independent
 6. **Automation**: Automated building, testing, versioning, and publishing
 
 ## Security Considerations
 
-- Workflows use `pull_request_target` for secure PR builds
-- Container credentials stored as organization secrets
-- Repository access controlled via GitHub PAT tokens
+- Workflows use `on: pull_request` (not `pull_request_target`) to prevent remote code execution (RCE): PR workflows run in the context of the PR branch with restricted permissions, so repository secrets are never exposed to untrusted code from public forks
+- Container registry access uses `GITHUB_TOKEN` instead of a long-lived PAT
 - ABI checking prevents accidental API/ABI breakage
 - CodeQL and security scanning via qcom-preflight-checks