(kafka) branch trunk updated: Revert "MINOR Use pull_request instead of pull_request_target (#21530)" (#21532)

Fri, 20 Feb 2026 17:24:14 -0800 

This is an automated email from the ASF dual-hosted git repository.

davidarthur pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/kafka.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 172aa3cbcd2 Revert "MINOR Use pull_request instead of 
pull_request_target (#21530)" (#21532)
172aa3cbcd2 is described below

commit 172aa3cbcd2236be878dfcb47d0ebc35cc77a834
Author: David Arthur <[email protected]>
AuthorDate: Fri Feb 20 20:23:43 2026 -0500

    Revert "MINOR Use pull_request instead of pull_request_target (#21530)" 
(#21532)
    
    This reverts commit e567025ab4fa451acc83c43c27b09e22a13dfc23.
    
    Reviewers: Chia-Ping Tsai <[email protected]>
---
 .github/workflows/pr-update.yml | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/pr-update.yml b/.github/workflows/pr-update.yml
index 0760cb132a7..7b45a15d191 100644
--- a/.github/workflows/pr-update.yml
+++ b/.github/workflows/pr-update.yml
@@ -1,4 +1,4 @@
-#s Licensed to the Apache Software Foundation (ASF) under one or more
+# Licensed to the Apache Software Foundation (ASF) under one or more
 # contributor license agreements.  See the NOTICE file distributed with
 # this work for additional information regarding copyright ownership.
 # The ASF licenses this file to You under the Apache License, Version 2.0
@@ -15,7 +15,15 @@
 
 name: Pull Request
 on:
-  pull_request:
+  # CAUTION! The pull_request_target is generally consider UNSAFE. This is 
because it will
+  # run untrusted code on the GHA infra with access to secrets and elevated 
permissions. We must
+  # not run any code from the pull request here. Instead, this workflow is for 
things like adding
+  # comments or labels to the pull request.
+  #
+  # Read:
+  # * 
https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target
+  # * 
https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
+  pull_request_target:
     types: [opened, reopened, synchronize]
     branches:
       - trunk

Reply via email to