feea8a7611
This PR switches four lightweight workflows from `pull_request` to `pull_request_target` to stop GitHub from requiring manual approval when the `mathlib-lean-pr-testing[bot]` app triggers label events (e.g. adding `builds-mathlib`). Since the bot never lands commits on master, it is perpetually treated as a "first-time contributor" and every `pull_request` event it triggers requires approval. `pull_request_target` events always run without approval because they execute trusted code from the base branch. This is safe for all four workflows because none check out or execute code from the PR branch — they only read labels, PR body, and file lists from the event payload and API: - `awaiting-mathlib.yml` — checks label combinations - `awaiting-manual.yml` — checks label combinations - `pr-body.yml` — checks PR body formatting - `check-stdlib-flags.yml` — checks if stdlib_flags.h was modified via API Also adds explicit `permissions: pull-requests: read` to each workflow as a least-privilege hardening measure, since `pull_request_target` has access to secrets. Addresses the issue reported by Sebastian: https://lean-fro.zulipchat.com/#narrow/channel/398861-general/topic/mathlib.20pr-testing.20breakage.3F/near/575084348 🤖 Prepared with Claude Code --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| actionlint.yml | ||
| awaiting-manual.yml | ||
| awaiting-mathlib.yml | ||
| backport.yml | ||
| build-template.yml | ||
| check-prelude.yml | ||
| check-stage0.yml | ||
| check-stdlib-flags.yml | ||
| ci.yml | ||
| copyright-header.yml | ||
| grove.yml | ||
| jira.yml | ||
| labels-from-comments.yml | ||
| pr-body.yml | ||
| pr-release.yml | ||
| pr-title.yml | ||
| restart-on-label.yml | ||
| stale.yml | ||
| update-stage0.yml | ||