.github - Support adding fork PRs to project board #1
Description
Problem
The add-to-project workflow currently triggers on pull_request events. For PRs from forks (external contributors), GitHub doesn't pass secrets to the workflow for security reasons. This means PRs from external contributors on open-source repos (like the SDK, easyInvoice) won't be automatically added to the project board.
Current behavior:
- External issues → Added to project board ✅
- External PRs with linked issues → Covered via the linked issue ✅
- External PRs without linked issues → Not added to board ❌
Proposed Solution
Change from pull_request to pull_request_target event trigger.
pull_request_target runs in the context of the base branch and has access to secrets, even for fork PRs. This is safe for our use case because:
- We don't checkout or execute any code from the PR
- We only read PR metadata (number, linked issues) and add items to the project board
Changes needed:
- Update the reusable workflow in
.githubto usepull_request_target - Update all caller workflows across repos (can be done via deployment script)
Considerations
pull_request_targetis generally discouraged because it can be dangerous if you run untrusted code, but our workflow is safe- Need to verify the workflow still gets correct PR metadata with
pull_request_target - May want to add explicit
permissionsblock for defense in depth