From 2bf01f7a84a32114d9b08cdfec39660e9db63f36 Mon Sep 17 00:00:00 2001 From: borislavr Date: Mon, 13 Oct 2025 09:09:39 +0000 Subject: [PATCH 1/3] fix(ci): update PR auto-assignment workflow to use pull_request event and improve fork handling Related issue: pull_request_target vulnerability (https://nx.dev/blog/s1ngularity-postmortem) --- .github/workflows/pr-assigner.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 .github/workflows/pr-assigner.yml diff --git a/.github/workflows/pr-assigner.yml b/.github/workflows/pr-assigner.yml new file mode 100644 index 0000000..75601f9 --- /dev/null +++ b/.github/workflows/pr-assigner.yml @@ -0,0 +1,31 @@ +name: PR Auto-Assignment +run-name: "Assigning reviewers for PR #${{ github.event.pull_request.number }}" +on: + pull_request: + types: [opened, reopened, synchronize] + branches: + - main + +permissions: + pull-requests: write + contents: read + +jobs: + pr-auto-assign: + runs-on: ubuntu-latest + + steps: + - name: Check if PR is from a fork + run: | + if [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.event.pull_request.base.repo.full_name }}" ]; then + echo "⚠️ Pull request is from a fork — skipping assignee assignment (no write permissions)." + exit 0 + fi + + - uses: actions/checkout@v5 + with: + persist-credentials: false + + - uses: netcracker/qubership-workflow-hub/actions/pr-assigner@0f2be042d7c833c6bf60df85732609b7991fb821 #2.0.0 + env: + GITHUB_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }} From 67172d037fb628412f9aa4801a5f50b53fe7702d Mon Sep 17 00:00:00 2001 From: borislavr Date: Mon, 13 Oct 2025 10:10:40 +0000 Subject: [PATCH 2/3] fix(ci): update PR auto-assignment workflow to use pull_request event and improve fork handling Related issue: pull_request_target vulnerability (https://nx.dev/blog/s1ngularity-postmortem) --- .github/workflows/pr-assigner.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-assigner.yml b/.github/workflows/pr-assigner.yml index 75601f9..2373943 100644 --- a/.github/workflows/pr-assigner.yml +++ b/.github/workflows/pr-assigner.yml @@ -28,4 +28,4 @@ jobs: - uses: netcracker/qubership-workflow-hub/actions/pr-assigner@0f2be042d7c833c6bf60df85732609b7991fb821 #2.0.0 env: - GITHUB_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 43df937143cad7cb5b77ed2280a059bbe18d825c Mon Sep 17 00:00:00 2001 From: borislavr Date: Tue, 14 Oct 2025 07:26:57 +0000 Subject: [PATCH 3/3] fix(ci): update PR auto-assignment workflow to use pull_request event and improve fork handling Related issue: pull_request_target vulnerability (https://nx.dev/blog/s1ngularity-postmortem) --- .github/workflows/pr-assigner.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr-assigner.yml b/.github/workflows/pr-assigner.yml index 2373943..66965ff 100644 --- a/.github/workflows/pr-assigner.yml +++ b/.github/workflows/pr-assigner.yml @@ -1,7 +1,7 @@ name: PR Auto-Assignment run-name: "Assigning reviewers for PR #${{ github.event.pull_request.number }}" on: - pull_request: + pull_request_target: types: [opened, reopened, synchronize] branches: - main @@ -26,6 +26,6 @@ jobs: with: persist-credentials: false - - uses: netcracker/qubership-workflow-hub/actions/pr-assigner@0f2be042d7c833c6bf60df85732609b7991fb821 #2.0.0 + - uses: netcracker/qubership-workflow-hub/actions/pr-assigner@b575bad3a0959c4e883bc34f9d055ff07fde2dbd #2.0.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}