.github: mitigate possible "hackerbot-claw" exploit

There's no reason to believe this script is actually vulnerable but
now it's best practice to avoid using pull_request_target.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>

diff --git a/.github/workflows/qa-symlink.yml b/.github/workflows/qa-symlink.yml
index 39413514c901e454d26517e4a29b59ea8b2e14b3..6f076c0037e8689b0de9d0a105542c932bfb8c79 100644 (file)
--- a/.github/workflows/qa-symlink.yml
+++ b/.github/workflows/qa-symlink.yml
@@ -1,15 +1,16 @@
 ---
 name: "Check for missing .qa links"
 on:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - synchronize
       - edited
       - reopened
-
+permissions:
+  contents: read
 jobs:
-  pull_request:
+  check-qa-links:
     name: "Check for missing .qa links"
     runs-on: ubuntu-latest
     if: github.repository == 'ceph/ceph'
@@ -20,7 +21,7 @@ jobs:
           ref: 'refs/heads/main'
           path: main
 
-      - name: checkout PR HEAD
+      - name: Checkout PR HEAD
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}