From 01eb56f04753381bdc8d4a9d2b16d0901bb69afc Mon Sep 17 00:00:00 2001
From: Andrew Rabert <ar@nullsum.net>
Date: Thu, 19 Feb 2026 23:53:48 -0500
Subject: Mitigate pull_request_target privilege escalation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Hotfix — replaces pull_request_target with pull_request to stop
granting write permissions and secrets to fork PRs. Some workflows
will break; can be fixed properly later.
---
 .github/workflows/ci-openapi.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to '.github/workflows/ci-openapi.yml')

diff --git a/.github/workflows/ci-openapi.yml b/.github/workflows/ci-openapi.yml
index 08eedd54f..3d04ac5e0 100644
--- a/.github/workflows/ci-openapi.yml
+++ b/.github/workflows/ci-openapi.yml
@@ -5,7 +5,7 @@ on:
       - master
     tags:
       - 'v*'
-  pull_request_target:
+  pull_request:
 
 permissions: {}
 
@@ -78,7 +78,7 @@ jobs:
       pull-requests: write
 
     name: OpenAPI - Difference
-    if: ${{ github.event_name == 'pull_request_target' }}
+    if: ${{ github.event_name == 'pull_request' }}
     runs-on: ubuntu-latest
     needs:
       - openapi-head
@@ -109,7 +109,7 @@ jobs:
 
   publish-unstable:
     name: OpenAPI - Publish Unstable Spec
-    if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref, 'refs/tags/v') && contains(github.repository_owner, 'jellyfin') }}
+    if: ${{ github.event_name != 'pull_request' && !startsWith(github.ref, 'refs/tags/v') && contains(github.repository_owner, 'jellyfin') }}
     runs-on: ubuntu-latest
     needs:
       - openapi-head
-- 
cgit v1.2.3