#59 - Use pull_request_target event in PR workflow to support fork CI with secrets #60

Description

Switch the PR workflow trigger from pull_request to pull_request_target so
that the full CI pipeline (including Sonar analysis) runs for fork PRs. All
actions/checkout@v4 steps are updated to check out the PR head commit
explicitly via ref: ${{ github.event.pull_request.head.sha }}.

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to
    not work as expected)
  • Documentation update
  • Performance improvement
  • Refactoring (no functional changes)
  • CI/CD update

Fixes #59

Testing

  • Unit tests added/updated
  • Manual testing performed — workflow triggered on a fork PR and verified
    all jobs (prettier, tsc, lint, unit-testing, sonar) ran successfully with
    access to secrets
  • Tested on iOS
  • Tested on Android

Breaking Changes

None. This change only affects how the CI workflow is triggered; no code, API,
or configuration changes are made to the library itself.

Checklist

  • Code follows the project's code style (Prettier, ESLint)
  • TypeScript types are properly defined
  • Tests pass locally
  • Documentation updated (if needed)
  • CI checks pass (Prettier, TypeScript, Lint, Tests, Sonar)

Additional Notes

Security consideration: Using
ref: ${{ github.event.pull_request.head.sha }} pins the checkout to the exact
SHA the contributor pushed, avoiding the ambiguity of the auto-merged ref. This
is the recommended approach for pull_request_target in Forgejo to avoid
running untrusted code from a stale or manipulated merge commit.

The Sonar job's existing if: condition remains unchanged — it still only runs
when SONAR_TOKEN, SONAR_HOST_URL, SONAR_PROJECT_KEY, and
SONAR_PROJECT_NAME are all configured.

## Description Switch the PR workflow trigger from `pull_request` to `pull_request_target` so that the full CI pipeline (including Sonar analysis) runs for fork PRs. All `actions/checkout@v4` steps are updated to check out the PR head commit explicitly via `ref: ${{ github.event.pull_request.head.sha }}`. ## Type of Change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] Documentation update - [ ] Performance improvement - [ ] Refactoring (no functional changes) - [x] CI/CD update ## Related Issue Fixes #59 ## Testing - [ ] Unit tests added/updated - [x] Manual testing performed — workflow triggered on a fork PR and verified all jobs (prettier, tsc, lint, unit-testing, sonar) ran successfully with access to secrets - [ ] Tested on iOS - [ ] Tested on Android ## Breaking Changes None. This change only affects how the CI workflow is triggered; no code, API, or configuration changes are made to the library itself. ## Checklist - [x] Code follows the project's code style (Prettier, ESLint) - [x] TypeScript types are properly defined - [x] Tests pass locally - [ ] Documentation updated (if needed) - [x] CI checks pass (Prettier, TypeScript, Lint, Tests, Sonar) ## Additional Notes **Security consideration:** Using `ref: ${{ github.event.pull_request.head.sha }}` pins the checkout to the exact SHA the contributor pushed, avoiding the ambiguity of the auto-merged ref. This is the recommended approach for `pull_request_target` in Forgejo to avoid running untrusted code from a stale or manipulated merge commit. The Sonar job's existing `if:` condition remains unchanged — it still only runs when `SONAR_TOKEN`, `SONAR_HOST_URL`, `SONAR_PROJECT_KEY`, and `SONAR_PROJECT_NAME` are all configured.
#59 - Switch PR workflow to pull_request_target to support fork CI with secrets
All checks were successful
/ pre-check (push) Successful in 9s
/ prettier (push) Successful in 32s
/ tsc (push) Successful in 36s
/ lint (push) Successful in 30s
/ unit-testing (push) Successful in 31s
/ sonar (push) Successful in 57s
4717a78d9f
GuillaumeHemmen scheduled this pull request to auto merge when all checks succeed 2026-04-13 15:24:00 +00:00
#59 - Update PR workflow to listen to both pull_request and pull_request_target for improved CI event handling
All checks were successful
/ pre-check (push) Successful in 13s
/ prettier (push) Successful in 27s
/ tsc (push) Successful in 31s
/ lint (push) Successful in 33s
/ unit-testing (push) Successful in 31s
/ tsc (pull_request) Successful in 30s
/ prettier (pull_request) Successful in 34s
/ lint (pull_request) Successful in 32s
/ unit-testing (pull_request) Successful in 31s
/ sonar (push) Successful in 1m4s
/ sonar (pull_request) Successful in 55s
60bb3b3fbf
GuillaumeHemmen canceled auto merging this pull request when all checks succeed 2026-04-13 15:28:21 +00:00
GuillaumeHemmen deleted branch 59-Use-pull_request_target-event-in-PR-workflow-to-support-fork-CI-with-secrets 2026-04-13 15:34:29 +00:00
Sign in to join this conversation.
No description provided.