fix: support pull_request_target case

[gberenice]

what

• When workflows use pull_request_target trigger (needed for accessing secrets), the default checkout behavior checks out the base branch (main) instead of the PR branch, causing tests to run against the wrong code. Updated the checkout step to explicitly check out the PR code when running in pull_request_target context, with proper fallbacks for other trigger types.

why

• Check out the branch we actually want to test.

references

• N/A

Summary by CodeRabbit

• Bug Fixes

  • Corrected checkout behavior for pull_request_target to use the PR head, improving accuracy for forked pull requests.

• Chores

  • Streamlined the Trunk upgrade workflow into a single step.
  • Switched to a secrets-based token for upgrades.
  • Updated default reviewers to the open-source group.
  • Removed the commit prefix configuration in the upgrade step.
  • Renamed the upgrade step for clarity and removed obsolete steps.

[coderabbitai]

Walkthrough

• .github/workflows/trunk-upgrade.yaml replaces the tibdex/github-app-token and trunk-io/trunk-action/upgrade steps with a single masterpointio/github-action-trunk-upgrade@fix/admin-permissions step.
• Inputs updated: app_id → app-id, private_key → app-private-key; github-token now uses secrets.MASTERPOINT_TEAM_PAT; reviewers changed to @masterpointio/masterpoint-open-source; prefix removed.
• action.yaml modifies the Checkout step to be PR-aware in pull_request_target: checks out PR head SHA/repo with fallbacks to github.sha and default repository.
• No other steps altered.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• chore: add usage clarification + revert deleted release changes github-action-trunk-upgrade#8 — Aligns with updated inputs and admin-permissions behavior used by the new workflow step.
• feat: initial version github-action-trunk-upgrade#1 — Introduces the reusable action that replaces the prior token/upgrade steps referenced here.
• chore: reusable trunk-upgrade terraform-module-template#52 — Mirrors the same swap to the reusable trunk-upgrade action and input key changes.

Suggested reviewers

• oycyc

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/support-pr-case

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/trunk-upgrade.yaml (1)

22-29: Pin the custom action to a commit SHA.

Using a branch ref (@fix/admin-permissions) risks supply-chain drift. Pin to a vetted commit SHA and optionally add a comment linking to the tag it corresponds to.

-      - name: Run Trunk Upgrade
-        uses: masterpointio/github-action-trunk-upgrade@fix/admin-permissions
+      - name: Run Trunk Upgrade
+        # Pin to an immutable commit SHA to prevent unexpected changes
+        uses: masterpointio/github-action-trunk-upgrade@<COMMIT_SHA>
         with:
           app-id: ${{ secrets.MP_BOT_APP_ID }}
           app-private-key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }}
           github-token: ${{ secrets.MASTERPOINT_TEAM_PAT }}
           reviewers: "@masterpointio/masterpoint-open-source"

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between ce15c8e and 45ff4bb.

📒 Files selected for processing (2)

• .github/workflows/trunk-upgrade.yaml (1 hunks)
• action.yaml (1 hunks)

🔇 Additional comments (1)

.github/workflows/trunk-upgrade.yaml (1)

22-29: Validate inputs and token scopes.

Confirm the action’s input names (app-id, app-private-key) match its current interface and that MASTERPOINT_TEAM_PAT has the minimal scopes required (e.g., contents:write and pull_request permissions for private repos; public_repo for public).

[coderabbitai]

🛠️ Refactor suggestion

⚠️ Potential issue

Avoid running untrusted PR code with privileged credentials in pull_request_target.

Checking out fork code in pull_request_target can execute untrusted code with base-repo permissions/secrets. Prefer the merge ref from the base repo and drop persisted credentials to reduce blast radius.

Apply this safer checkout:

       with:
         token: ${{ inputs.github_token }}
-        # For pull_request_target: checkout the actual PR code, not the base branch
-        ref: ${{ github.event.pull_request.head.sha || github.sha }}
-        # Support forks by using the head repository when available
-        repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
+        # In pull_request_target, use the base repo's synthetic merge ref to avoid cross-repo clones
+        # and to prevent running fork code with elevated credentials. Otherwise, fall back to sha.
+        ref: ${{ (github.event_name == 'pull_request_target' && format('refs/pull/{0}/merge', github.event.number)) || github.event.pull_request.head.sha || github.sha }}
+        # Always clone from the base repository to avoid permission issues with forks
+        repository: ${{ github.repository }}
+        # Do not persist credentials into the repo's local config (reduces risk of token exfiltration)
+        persist-credentials: false
+        # Faster, smaller checkout
+        fetch-depth: 1

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# For pull_request_target: checkout the actual PR code, not the base branch
	ref: ${{ github.event.pull_request.head.sha || github.sha }}
	# Support forks by using the head repository when available
	repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
	with:
	token: ${{ inputs.github_token }}
	# In pull_request_target, use the base repo's synthetic merge ref to avoid cross-repo clones
	# and to prevent running fork code with elevated credentials. Otherwise, fall back to sha.
	ref: ${{ (github.event_name == 'pull_request_target' && format('refs/pull/{0}/merge', github.event.number)) || github.event.pull_request.head.sha || github.sha }}
	# Always clone from the base repository to avoid permission issues with forks
	repository: ${{ github.repository }}
	# Do not persist credentials into the repo's local config (reduces risk of token exfiltration)
	persist-credentials: false
	# Faster, smaller checkout
	fetch-depth: 1

🤖 Prompt for AI Agents

In action.yaml around lines 36 to 39, the checkout currently uses the PR head
ref and head repository which runs untrusted fork code in pull_request_target;
change the checkout to use the merge ref from the base repo (e.g.
github.event.pull_request.merge_commit_sha || github.sha) and set repository to
the base repo (github.repository) instead of the head repo, and disable
persisting credentials (persist-credentials: false) so actions do not expose
base-repo secrets to checked-out PR code.

---

💡 Verification agent

❓ Verification inconclusive

Cross-repo checkout will often fail with GITHUB_TOKEN.

The default GITHUB_TOKEN typically lacks access to fork repos; using head.repo.full_name will 404 on public forks and fail on private forks. The merge-ref approach above also resolves this reliability issue.

---

Restore merge-ref checkout for pull_request_target
The actions/checkout step using repository: ${{ github.event.pull_request.head.repo.full_name }} will 404 with GITHUB_TOKEN on forked repos; revert to the merge-ref approach (ref: ${{ github.event.pull_request.merge_commit_sha }}) for reliable cross-repo checkout (jvt.me).

🤖 Prompt for AI Agents

In action.yaml around lines 36 to 39, the checkout step currently tries to use
the PR head repo and head SHA which causes 404s with GITHUB_TOKEN on forked
repos; replace the ref with the merge commit ref and avoid using the forked repo
for pull_request_target. Set ref to ${{
github.event.pull_request.merge_commit_sha }} and use the target repository
(e.g. ${{ github.repository }}) so the action checks out the merge-ref in the
repository where the workflow runs, ensuring reliable cross-repo checkout with
GITHUB_TOKEN.