ci: pull_request_target & remove useless secret

[NoPlagiarism]

Small addition to #3117 ( Discussed here )

[github-actions]

@check-spelling-bot Report

🔴 Please review

See the 📂 files view, the 📜action log, or 📝 job summary for details.

❌ Errors	Count
❌ forbidden-pattern	22
❌ ignored-expect-variant	1
⚠️ non-alpha-in-dictionary	19

See ❌ Event descriptions for more information.

If the flagged items are 🤯 false positives

If items relate to a ...

• binary file (or some other file you wouldn't want to check at all).

  Please add a file path to the excludes.txt file matching the containing file.

  File paths are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your files.

  ^ refers to the file's path from the root of the repository, so ^README\.md$ would exclude README.md (on whichever branch you're using).

• well-formed pattern.

  If you can write a pattern that would match it,
  try adding it to the patterns.txt file.

  Patterns are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your lines.

  Note that patterns can't match multiline strings.

[gitstream-cm]

Be a legend 🏆 by adding a before and after screenshot of the changes you made, especially if they are around UI/UX.

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request introduces modifications to two GitHub Actions workflow files. In .github/workflows/pr_assignee.yml, the repo-token parameter has been removed from the auto-author-assign action. In .github/workflows/pr_milestone.yml, the event trigger has been changed from pull_request to pull_request_target, which alters how the milestone assignment workflow is initiated for pull requests.

Changes

File	Change Summary
.github/workflows/pr_assignee.yml	Removed repo-token parameter from toshimaru/[email protected] action
.github/workflows/pr_milestone.yml	Changed event trigger from pull_request to pull_request_target

Possibly related PRs

• ci: fix permissions + migrate to fresher action (Pr Assign) #3117: Modifications to the toshimaru/[email protected] action configuration in .github/workflows/pr_assignee.yml

Suggested labels

bug, CI/CD

Suggested reviewers

• jjw24

Poem

🐰 Workflows dancing, tokens light
GitHub Actions taking flight
Pull requests hop with new delight
Milestones shift, automation's might
Code's rhythm finds its perfect height! 🚀

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 243ebb8 and 141634c.

📒 Files selected for processing (2)

• .github/workflows/pr_assignee.yml (0 hunks)
• .github/workflows/pr_milestone.yml (1 hunks)

💤 Files with no reviewable changes (1)

• .github/workflows/pr_assignee.yml

🔇 Additional comments (2)

.github/workflows/pr_milestone.yml (2)

Line range hint 9-10: Verify permissions and token usage

The workflow uses write permissions for pull-requests and the default GITHUB_TOKEN. This is appropriate for the milestone assignment task. The scoped permissions help follow the principle of least privilege.

Let's verify the token usage across workflows:

Also applies to: 19-22

✅ Verification successful

Token and permission configurations are consistent and well-scoped

The verification confirms that the token and permission configurations are appropriate:

• The pr_milestone.yml workflow correctly uses GITHUB_TOKEN with pull-requests: write permission, which is the minimum required for milestone assignment
• Other workflows follow similar security practices:
  • pr_assignee.yml: Same scoped permissions for PR operations
  • spelling.yml: Uses read-only permissions where possible
  • stale.yml: Explicitly declares required permissions
  • default_plugins.yml: Uses a separate PUBLISH_PLUGINS token for publishing operations

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify consistent token usage and permissions across workflows
# Look for workflows using GITHUB_TOKEN and their permission settings

echo "Checking for GITHUB_TOKEN usage in workflows:"
rg -A 2 "GITHUB_TOKEN" .github/workflows/

echo -e "\nChecking for permission declarations in workflows:"
rg -A 3 "permissions:" .github/workflows/

Length of output: 4335

---

6-6: Security Review Required: Switching to pull_request_target

The change from pull_request to pull_request_target requires careful security consideration. While this event type allows the workflow to access repository secrets when handling PRs from forks, it also runs workflow code from the base ref's context, which could be a security risk if the workflow checks out and runs code from the PR.

In this case, since the workflow only uses the andrefcdias/add-to-milestone action without checking out any code, the change appears safe. However, future modifications to this workflow should maintain this security boundary.

Let's verify there are no other workflows that might be affected by this change:

Consider documenting these security considerations in the workflow file comments for future maintainers.

✅ Verification successful

Security Review Complete: pull_request_target Usage is Safe

After analyzing both workflows, the change to pull_request_target in pr_milestone.yml is safe because:

1. The workflow has minimal permissions scope (pull-requests: write)
2. It doesn't checkout PR code or run untrusted code
3. Only uses a trusted action (andrefcdias/add-to-milestone) with repository token

The other workflow using pull_request_target (spelling.yml) is also properly configured with:

• Explicit permission boundaries
• Safe usage of checkout with proper security controls
• Appropriate concurrency settings

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for other workflows that might need similar changes or could be affected
# Look for workflows using pull_request events and accessing secrets

# Search for workflow files using pull_request
echo "Checking for workflows using pull_request events:"
rg -l "pull_request:" .github/workflows/

# Search for potential security-sensitive patterns in workflows
echo -e "\nChecking for workflows using checkout action with pull_request:"
rg -l "uses: actions/checkout@" .github/workflows/ | xargs rg "pull_request:"

Length of output: 401

---

Script:

#!/bin/bash
# Let's examine both workflows in detail to understand their configurations

echo "=== Content of pr_milestone.yml ==="
cat .github/workflows/pr_milestone.yml

echo -e "\n=== Content of spelling.yml ==="
cat .github/workflows/spelling.yml

# Let's also check if there are any other files that might reference these workflows
echo -e "\n=== Files referencing these workflows ==="
rg -l "pr_milestone|spelling" .github/

Length of output: 6732

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.