From 6a16efcaaf5b89c144105f94318ce55106d28723 Mon Sep 17 00:00:00 2001 From: LinZhihao-723 Date: Sat, 30 Nov 2024 23:37:16 -0500 Subject: [PATCH] Add comment --- .github/workflows/pr-title-checks.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/pr-title-checks.yaml b/.github/workflows/pr-title-checks.yaml index 6cfb301..e34a7d7 100644 --- a/.github/workflows/pr-title-checks.yaml +++ b/.github/workflows/pr-title-checks.yaml @@ -2,6 +2,11 @@ name: "pr-title-checks" on: pull_request_target: + # NOTE: The `pull_request_target` event means GITHUB_TOKEN can access secrets and is granted + # read/write repository access by default. So we need to ensure: + # - This workflow doesn't inadvertently check out, build, or execute untrusted code from the + # pull request triggered by this event. + # - Each job has `permissions` set to only those necessary. types: ["edited", "opened", "reopened"] branches: ["main"]