This is an automated email from the ASF dual-hosted git repository.
zeroshade pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/iceberg-go.git
The following commit(s) were added to refs/heads/main by this push:
new 2cb0c301 ci: replace pull_request_target with pull_request (#751)
2cb0c301 is described below
commit 2cb0c30124a94f93e7f5b080bdad19f425f2effc
Author: Kevin Liu <[email protected]>
AuthorDate: Mon Feb 23 19:32:09 2026 -0500
ci: replace pull_request_target with pull_request (#751)
`pull_request_target` carries higher risk for untrusted PRs because it
executes in the base repository context and can have broader token
privileges.
Switching to `pull_request` provides a safer default security posture
for external contributions.
The main tradeoff is that auto-labeling may not run for fork-based PRs,
which is acceptable in our case.
ASF infra keeps on flagging this, so lets make the change
---
.github/workflows/labeler.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index e56be9f4..78390932 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -16,7 +16,7 @@
# under the License.
name: "Pull Request Labeler"
-on: pull_request_target
+on: pull_request
permissions:
contents: read
