From 25ee0967e502133328e0e109172da2adbc1ac4dd Mon Sep 17 00:00:00 2001
From: Patrick Donnelly <pdonnell@ibm.com>
Date: Wed, 4 Mar 2026 16:21:31 -0500
Subject: [PATCH] .github: mitigate possible "hackerbot-claw" exploit

There's no reason to believe this script is actually vulnerable but
now it's best practice to avoid using pull_request_target.

Signed-off-by: Patrick Donnelly <pdonnell@ibm.com>
---
 .github/workflows/qa-symlink.yml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/qa-symlink.yml b/.github/workflows/qa-symlink.yml
index 39413514c90..6f076c0037e 100644
--- a/.github/workflows/qa-symlink.yml
+++ b/.github/workflows/qa-symlink.yml
@@ -1,15 +1,16 @@
 ---
 name: "Check for missing .qa links"
 on:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - synchronize
       - edited
       - reopened
-
+permissions:
+  contents: read
 jobs:
-  pull_request:
+  check-qa-links:
     name: "Check for missing .qa links"
     runs-on: ubuntu-latest
     if: github.repository == 'ceph/ceph'
@@ -20,7 +21,7 @@ jobs:
           ref: 'refs/heads/main'
           path: main
 
-      - name: checkout PR HEAD
+      - name: Checkout PR HEAD
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-- 
2.47.3