[PETOSS-829] Allow codegen validation to be run from forked PRs (#763)

the-chris-mitchell · web-flow · commit 6eaaa5fa5cd4 · 2025-10-29T14:11:53.000+13:00
* [PETOSS-829] Use var for app_id as per docs

* [PETOSS-829] Replace access token action

* [PETOSS-829] Split workflows and run codegen validation via pull_request_target
This is necessary as we can't access secrets from pull_request from forks
diff --git a/.github/workflows/pr-linting.yml b/.github/workflows/pr-linting.yml
@@ -0,0 +1,16 @@
+name: PR Linting
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+
+jobs:
+  linting:
+    runs-on: ubuntu-latest
+    name: MegaLinter Validation
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: MegaLinter
+        uses: oxsecurity/megalinter/flavors/documentation@v9
diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml
@@ -1,23 +1,11 @@
 name: PR Validation
 
 on:
-  pull_request:
+  pull_request_target:
     types: [opened, reopened, synchronize]
-  push:
-    branches:
-      - master
+    branches: [master]
 
 jobs:
-  linting:
-    runs-on: ubuntu-latest
-    name: MegaLinter Validation
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: MegaLinter
-        uses: oxsecurity/megalinter/flavors/documentation@v9
-
   codegen-validation:
     runs-on: ubuntu-latest
     name: Codegen Repo Validation
@@ -46,7 +34,7 @@ jobs:
         env:
           GH_TOKEN: ${{ steps.get_access_token.outputs.token }}
         run: |
-          BRANCH_NAME="${{ github.event_name == 'pull_request' && github.head_ref || 'master' }}"
+          BRANCH_NAME="${{ github.event.pull_request.head.sha }}"
 
           # Trigger the workflow and capture the response
           gh workflow run pr.yml \
