From 6ab4565964480ddf5547939ea374a81c66b68386 Mon Sep 17 00:00:00 2001 From: borislavr Date: Mon, 13 Oct 2025 09:03:25 +0000 Subject: [PATCH 1/3] fix(ci): update PR auto-assignment workflow to use pull_request event and improve fork handling Related issue: pull_request_target vulnerability (https://nx.dev/blog/s1ngularity-postmortem) --- .github/workflows/pr-assigner.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 .github/workflows/pr-assigner.yml diff --git a/.github/workflows/pr-assigner.yml b/.github/workflows/pr-assigner.yml new file mode 100644 index 000000000..75601f997 --- /dev/null +++ b/.github/workflows/pr-assigner.yml @@ -0,0 +1,31 @@ +name: PR Auto-Assignment +run-name: "Assigning reviewers for PR #${{ github.event.pull_request.number }}" +on: + pull_request: + types: [opened, reopened, synchronize] + branches: + - main + +permissions: + pull-requests: write + contents: read + +jobs: + pr-auto-assign: + runs-on: ubuntu-latest + + steps: + - name: Check if PR is from a fork + run: | + if [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.event.pull_request.base.repo.full_name }}" ]; then + echo "⚠️ Pull request is from a fork — skipping assignee assignment (no write permissions)." + exit 0 + fi + + - uses: actions/checkout@v5 + with: + persist-credentials: false + + - uses: netcracker/qubership-workflow-hub/actions/pr-assigner@0f2be042d7c833c6bf60df85732609b7991fb821 #2.0.0 + env: + GITHUB_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }} From 9ea82a69e96850347b27aa01457be5b09be18db2 Mon Sep 17 00:00:00 2001 From: borislavr Date: Mon, 13 Oct 2025 10:03:48 +0000 Subject: [PATCH 2/3] fix(ci): update PR auto-assignment workflow to use pull_request event and improve fork handling Related issue: pull_request_target vulnerability (https://nx.dev/blog/s1ngularity-postmortem) --- .github/workflows/pr-assigner.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-assigner.yml b/.github/workflows/pr-assigner.yml index 75601f997..23739434e 100644 --- a/.github/workflows/pr-assigner.yml +++ b/.github/workflows/pr-assigner.yml @@ -28,4 +28,4 @@ jobs: - uses: netcracker/qubership-workflow-hub/actions/pr-assigner@0f2be042d7c833c6bf60df85732609b7991fb821 #2.0.0 env: - GITHUB_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 3871612e70d159a9d6a126b6a868e7876c9b7e71 Mon Sep 17 00:00:00 2001 From: borislavr Date: Tue, 14 Oct 2025 07:20:50 +0000 Subject: [PATCH 3/3] fix(ci): update PR auto-assignment workflow to use pull_request event and improve fork handling Related issue: pull_request_target vulnerability (https://nx.dev/blog/s1ngularity-postmortem) --- .github/workflows/pr-assigner.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr-assigner.yml b/.github/workflows/pr-assigner.yml index 23739434e..66965ff6a 100644 --- a/.github/workflows/pr-assigner.yml +++ b/.github/workflows/pr-assigner.yml @@ -1,7 +1,7 @@ name: PR Auto-Assignment run-name: "Assigning reviewers for PR #${{ github.event.pull_request.number }}" on: - pull_request: + pull_request_target: types: [opened, reopened, synchronize] branches: - main @@ -26,6 +26,6 @@ jobs: with: persist-credentials: false - - uses: netcracker/qubership-workflow-hub/actions/pr-assigner@0f2be042d7c833c6bf60df85732609b7991fb821 #2.0.0 + - uses: netcracker/qubership-workflow-hub/actions/pr-assigner@b575bad3a0959c4e883bc34f9d055ff07fde2dbd #2.0.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}