Skip to content

ci: remove pull_request_target trigger from release-drafter#31

Open
ryantm wants to merge 1 commit into
mainfrom
ryantm/remove-pull-request-target
Open

ci: remove pull_request_target trigger from release-drafter#31
ryantm wants to merge 1 commit into
mainfrom
ryantm/remove-pull-request-target

Conversation

@ryantm
Copy link
Copy Markdown

@ryantm ryantm commented May 12, 2026

Why

The recent TanStack NPM supply-chain compromise was facilitated by a pull_request_target workflow. Per Replit security policy, we're removing pull_request_target triggers from all Replit-owned public repos as a precaution, even where the current use looks safe, to eliminate exposure to that attack pattern.

Discussion: Slack thread.

What changed

Removed the pull_request_target trigger block from .github/workflows/release-drafter.yml. The workflow still runs on:

  • workflow_dispatch (manual)
  • push to main — release notes continue to be drafted on merge
  • pull_request from branches in the same repo — autolabeler still runs here

Tradeoff: the autolabeler will no longer run on PRs opened from forks. That's an acceptable loss given the security benefit, and the rest of the release-drafter flow (drafting release notes on push to main) is unaffected.

Test plan

  • Diff is a clean removal of the pull_request_target: block; no other lines change.
  • yq/manual YAML inspection confirms the remaining on: triggers (workflow_dispatch, push, pull_request) still parse correctly.
  • Behavioral verification will happen on the next merge to main (release notes still draft) and the next intra-repo PR (autolabeler still fires).

Rollout

  • This is fully backward and forward compatible

Workflow-only change with no runtime impact on the published package.

Revertibility

Safe to revert. This is a workflow-only change; reverting restores the prior trigger configuration with no data or state implications.

~ written by Zerg 👾 (hungry-medic-9d57)

@ryantm
ci: remove pull_request_target trigger from release-drafter
7fd0c20 
Removes the pull_request_target trigger from the release-drafter workflow to
eliminate exposure to the supply-chain-attack pattern abused in the TanStack
NPM compromise.

See: https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
@ryantm ryantm added the zergling-authored Authored by a zergling label May 12, 2026
@ryantm ryantm marked this pull request as ready for review May 12, 2026 13:00
@ryantm ryantm requested a review from a team as a code owner May 12, 2026 13:00
@ryantm ryantm requested review from brenoafb and removed request for a team May 12, 2026 13:00
@ryantm ryantm enabled auto-merge (squash) May 12, 2026 15:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brenoafb brenoafb Awaiting requested review from brenoafb brenoafb is a code owner automatically assigned from replit/deployments-reviewers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

zergling-authored Authored by a zergling

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ryantm