fix: restore pull_request_target for fork PR secrets access

TooAngel · TooAngel · commit 6bd8597074cb · 2026-01-24T09:41:28.000+01:00
The workflow was accidentally regressed to use pull_request instead of pull_request_target when PR #3 was squash merged. This prevented fork PRs from accessing repository secrets needed for the migrate app authentication. Changes: - Restore pull_request_target trigger - Add sparse checkout of REPOSITORIES.md from PR - Keep trusted scripts from main branch for security - Maintain MIGRATE_APP_ID/PRIVATE_KEY env vars from PR #28
diff --git a/.github/workflows/drift-detection.yml b/.github/workflows/drift-detection.yml
@@ -1,7 +1,9 @@
 name: Repository Drift Detection
 
+# Use pull_request_target to run trusted workflow from base repository
+# This allows access to secrets while running code from main branch
 on:
-  pull_request:
+  pull_request_target:
 
 jobs:
   detect-drift:
@@ -12,8 +14,25 @@ jobs:
       contents: read
 
     steps:
-      - name: Checkout code
+      # Checkout the base repository (main branch) - trusted code
+      - name: Checkout base repository
         uses: actions/checkout@v4
+        with:
+          ref: main
+
+      # Checkout PR's REPOSITORIES.md to see what changes are proposed
+      - name: Checkout PR REPOSITORIES.md
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          sparse-checkout: |
+            REPOSITORIES.md
+          sparse-checkout-cone-mode: false
+          path: pr-files
+
+      # Copy PR's REPOSITORIES.md to working directory
+      - name: Use PR's REPOSITORIES.md
+        run: cp pr-files/REPOSITORIES.md REPOSITORIES.md
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
@@ -63,8 +82,6 @@ jobs:
           cat sync-preview.md >> $GITHUB_STEP_SUMMARY
 
       - name: Comment PR with drift report and sync preview
-        # Skip commenting on fork PRs (no write permissions), but drift report is available in workflow summary above
-        if: github.event.pull_request.head.repo.full_name == github.repository
         uses: actions/github-script@v7
         with:
           script: |
@@ -107,7 +124,7 @@ jobs:
       - name: Check drift detection result
         if: steps.drift.outputs.exit_code != '0'
         run: |
-          echo "❌ Transfer blocked: worlddriven lacks admin permission on source repository"
+          echo "❌ Transfer blocked: worlddriven-migrate app not installed on source repository"
           echo "Review the drift report in the workflow summary above"
-          echo "Grant worlddriven admin access to the source repository to unblock"
+          echo "Install the worlddriven-migrate app on the source repository to unblock"
           exit 1
