Fix cleanup-caches workflow for fork PRs

cderv · cderv · commit e936df4cf325 · 2026-04-22T17:24:33.000+02:00
pull_request events from forks ship a read-only GITHUB_TOKEN regardless of the permissions: block, so gh cache delete fails with HTTP 403 and the fork PR's ~1-2 GB of caches leak into the repo's 10 GB cache budget. Observed on PR #14374 (8/8 deletes returned 403, run succeeded because set +e swallowed the failures). pull_request_target runs in the base-branch context with full write permissions. Safe for this workflow: no PR code is checked out, the steps only call gh cache list/delete.
diff --git a/.github/workflows/cleanup-caches.yml b/.github/workflows/cleanup-caches.yml
@@ -1,6 +1,10 @@
 name: Cleanup github runner caches on closed pull requests
 on:
-  pull_request:
+  # pull_request_target is required so fork PRs can delete their own caches on close.
+  # pull_request from a fork ships a read-only GITHUB_TOKEN regardless of the
+  # permissions: block, causing gh cache delete to fail with HTTP 403.
+  # Safe here: no PR code is checked out, the workflow only calls gh cache list/delete.
+  pull_request_target:
     types:
       - closed
 
