From: Patrick Donnelly <pdonnell@ibm.com>
Date: Wed, 4 Mar 2026 21:21:31 +0000 (-0500)
Subject: .github: mitigate possible "hackerbot-claw" exploit
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F67658%2Fhead;p=ceph.git

.github: mitigate possible "hackerbot-claw" exploit

There's no reason to believe this script is actually vulnerable but
now it's best practice to avoid using pull_request_target.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>
---

diff --git a/.github/workflows/qa-symlink.yml b/.github/workflows/qa-symlink.yml
index 39413514c90..6f076c0037e 100644
--- a/.github/workflows/qa-symlink.yml
+++ b/.github/workflows/qa-symlink.yml
@@ -1,15 +1,16 @@
 ---
 name: "Check for missing .qa links"
 on:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - synchronize
       - edited
       - reopened
-
+permissions:
+  contents: read
 jobs:
-  pull_request:
+  check-qa-links:
     name: "Check for missing .qa links"
     runs-on: ubuntu-latest
     if: github.repository == 'ceph/ceph'
@@ -20,7 +21,7 @@ jobs:
           ref: 'refs/heads/main'
           path: main
 
-      - name: checkout PR HEAD
+      - name: Checkout PR HEAD
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}