This is an automated email from the ASF dual-hosted git repository. davidarthur pushed a commit to branch revert-e567025ab4f in repository https://gitbox.apache.org/repos/asf/kafka.git
commit 025a6e039a136e8655ac64dabb374a1bdfe514d1 Author: David Arthur <[email protected]> AuthorDate: Fri Feb 20 20:15:47 2026 -0500 Revert "MINOR Use pull_request instead of pull_request_target (#21530)" This reverts commit e567025ab4fa451acc83c43c27b09e22a13dfc23. --- .github/workflows/pr-update.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr-update.yml b/.github/workflows/pr-update.yml index 0760cb132a7..7b45a15d191 100644 --- a/.github/workflows/pr-update.yml +++ b/.github/workflows/pr-update.yml @@ -1,4 +1,4 @@ -#s Licensed to the Apache Software Foundation (ASF) under one or more +# Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 @@ -15,7 +15,15 @@ name: Pull Request on: - pull_request: + # CAUTION! The pull_request_target is generally consider UNSAFE. This is because it will + # run untrusted code on the GHA infra with access to secrets and elevated permissions. We must + # not run any code from the pull request here. Instead, this workflow is for things like adding + # comments or labels to the pull request. + # + # Read: + # * https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target + # * https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ + pull_request_target: types: [opened, reopened, synchronize] branches: - trunk
