From d8ee33c1214860ab727015a9d0cb136bc8b5abe7 Mon Sep 17 00:00:00 2001
From: addshore <git@addshore.com>
Date: Sun, 3 May 2026 12:18:31 +0200
Subject: [PATCH] Use pull_request_target for mattermost.yml

workflow runs from the target/base branch (your main),
and has access to repo secrets.
However user provided PRs can thus not change the workflow code that
is running, unless your repo is already compromised
---
 .github/workflows/mattermost.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/mattermost.yml b/.github/workflows/mattermost.yml
index 6a994f2e4..07d74ff77 100644
--- a/.github/workflows/mattermost.yml
+++ b/.github/workflows/mattermost.yml
@@ -1,7 +1,9 @@
 on:
-  pull_request:
+  pull_request_target:
     types: [ opened, reopened ]
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest