fix(ci): use pull_request_target for fork PR labeling (#585)

oalanicolas · claude · web-flow · commit 602b14987be8 · 2026-03-11T10:04:14.000-03:00
* fix(ci): use pull_request_target for fork PR labeling (#479) Switch trigger from pull_request to pull_request_target so fork PRs get a write-capable GITHUB_TOKEN. Replace git-diff squad detection with GitHub API (pulls.listFiles) since pull_request_target does not check out fork commits. Remove unnecessary checkout step. Closes #479 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(ci): paginate listFiles to handle PRs with 100+ changed files Use github.paginate() instead of a single API call to ensure squad detection works even for large PRs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(ci): detect squad file renames via previous_filename Address CodeRabbit review: also check previous_filename for renames moving files out of squads/, preventing policy bypass. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(ci): pin actions to SHA refs for pull_request_target security Pin actions/labeler and actions/github-script to immutable commit SHAs to prevent supply-chain attacks in the write-token context. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/.github/workflows/pr-labeling.yml b/.github/workflows/pr-labeling.yml
@@ -2,7 +2,7 @@ name: PR Labeling
 # Story 6.1 - Added concurrency
 
 on:
-  pull_request:
+  pull_request_target:
     types: [opened, synchronize]
 
 concurrency:
@@ -16,34 +16,33 @@ jobs:
       contents: read
       pull-requests: write
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
       - name: Label PR based on files changed
-        uses: actions/labeler@v4
+        uses: actions/labeler@ac9175f8a1f3625fd0d4fb234536d26811351594 # v4
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
           configuration-path: .github/labeler.yml
           sync-labels: true
 
-      - name: Check for squad changes
-        id: check-squad
-        run: |
-          if git diff --name-only origin/${{ github.base_ref }}...HEAD | grep -q "^squads/"; then
-            echo "has_squad=true" >> $GITHUB_OUTPUT
-          else
-            echo "has_squad=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Add needs-po-review label for squad PRs
-        if: steps.check-squad.outputs.has_squad == 'true'
-        uses: actions/github-script@v7
+      - name: Check for squad changes and add label
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           script: |
-            github.rest.issues.addLabels({
-              issue_number: context.issue.number,
+            const files = await github.paginate(github.rest.pulls.listFiles, {
               owner: context.repo.owner,
               repo: context.repo.repo,
-              labels: ['needs-po-review']
-            })
+              pull_number: context.payload.pull_request.number,
+              per_page: 100
+            });
+            const hasSquadChanges = files.some(f =>
+              f.filename.startsWith('squads/') ||
+              f.previous_filename?.startsWith('squads/')
+            );
+            if (hasSquadChanges) {
+              await github.rest.issues.addLabels({
+                issue_number: context.payload.pull_request.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                labels: ['needs-po-review']
+              });
+            }
 
