ci(pr-bot): run on pull_request_target so fork PRs get labeled

fork PRs get a read-only token on pull_request, so the label, size and ci-summary jobs 403 and the summary check shows red on every external PR. run on pull_request_target (write token, base-repo context), key the concurrency group on the PR number so runs don't collide, and drop the size job's unused checkout. none of these jobs check out or run PR code, they only call the github API with the event payload, so this is the safe labeler pattern. supersedes #146 (same fix by @TBX3D, which conflicted after the checkout bump in #143).
2026-06-27 00:43:59 -07:00 · 2026-06-22 17:20:58 -07:00
1 changed files with 2 additions and 3 deletions
@@ -1,7 +1,7 @@
 name: pr bot

 on:
-  pull_request:
+  pull_request_target:
    types: [opened, synchronize, reopened, edited]

 permissions:
@@ -9,7 +9,7 @@ permissions:
  pull-requests: write

 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: ${{ github.workflow }}-pr-${{ github.event.pull_request.number }}
  cancel-in-progress: true

 jobs:
@@ -23,7 +23,6 @@ jobs:
  size:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v7
      - name: label pr size
        uses: actions/github-script@v9
        with: