Skip to content

ci: remove pull_request_target trigger from release-drafter#377

Open
ryantm wants to merge 1 commit into
mainfrom
ryantm/remove-pr-target-release-drafter
Open

ci: remove pull_request_target trigger from release-drafter#377
ryantm wants to merge 1 commit into
mainfrom
ryantm/remove-pr-target-release-drafter

Conversation

@ryantm
Copy link
Copy Markdown

@ryantm ryantm commented May 12, 2026

Why

The TanStack NPM supply-chain compromise (postmortem) exploited a pull_request_target workflow. Per security policy, we're removing pull_request_target from all Replit-owned public repos as a precaution.

This workflow's current usage isn't immediately exploitable — it only runs the release-drafter action and never checks out PR head code — but the trust boundary is fragile and we'd rather not have any pull_request_target in public repos.

Slack thread: https://replit.slack.com/archives/C03FS477T17/p1778588219046429

What changed

Removed the pull_request_target trigger block from .github/workflows/release-drafter.yml. The workflow_dispatch, push, and pull_request triggers all stay.

Side-effect: autolabeler will no longer run on PRs from forks. Release notes are still drafted on pushes/merges to main, so the only impact is that fork PRs won't get autolabeled until merged.

Versioning

  • Breaking protocol change
  • Breaking ts/js API change

Revertibility

Safe to revert — single-file CI workflow change with no runtime, data, or protocol impact.

~ written by Zerg 👾 (warped-guardian-042e)

@ryantm
ci: remove pull_request_target trigger from release-drafter
d4b662c 
Eliminates exposure of the supply-chain-attack pattern demonstrated by
the TanStack NPM compromise. The release-drafter workflow never checks
out PR head code, so the current usage isn't immediately exploitable,
but we're removing pull_request_target from all Replit-owned public
repos as a precaution.

Side-effect: autolabeler will no longer run on PRs from forks. Release
notes are still drafted on pushes/merges to main, so the only impact
is that fork PRs won't get autolabeled until merged.
@ryantm ryantm added the zergling-authored PRs authored by Zerg label May 12, 2026
@ryantm ryantm marked this pull request as ready for review May 12, 2026 12:59
@ryantm ryantm requested a review from a team as a code owner May 12, 2026 12:59
@ryantm ryantm requested review from jackyzha0 and removed request for a team May 12, 2026 12:59
@ryantm ryantm enabled auto-merge (squash) May 12, 2026 12:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jackyzha0 jackyzha0 Awaiting requested review from jackyzha0 jackyzha0 is a code owner automatically assigned from replit/agent-infrastructure

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

zergling-authored PRs authored by Zerg

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ryantm