Merge pull request #4856 from wled/copilot/fix-4855

netmindz · web-flow · commit 1fb9eb771e2c · 2025-08-21T00:23:02.000+01:00
Fix GitHub workflow secret access from forked PRs
diff --git a/.github/workflows/pr-merge.yaml b/.github/workflows/pr-merge.yaml
@@ -1,12 +1,13 @@
     name: Notify Discord on PR Merge
     on:
       workflow_dispatch:
-      pull_request:
+      pull_request_target:
         types: [closed]
 
     jobs:
       notify:
         runs-on: ubuntu-latest
+        if: github.event.pull_request.merged == true
         steps:
         - name: Get User Permission
           id: checkAccess
@@ -23,11 +24,6 @@
             echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
             echo "Job originally triggered by ${{ github.actor }}"
             exit 1
-        - name: Checkout code
-          uses: actions/checkout@v3
-          with:
-            ref: ${{  github.event.pull_request.head.sha }} # This is dangerous without the first access check
         - name: Send Discord notification
-          # if: github.event.pull_request.merged == true
           run: |
             curl -H "Content-Type: application/json" -d '{"content": "Pull Request ${{ github.event.pull_request.number }} merged by ${{ github.actor }}"}' ${{ secrets.DISCORD_WEBHOOK_BETA_TESTERS }}
