From 143787aad696b7d307ed4991e2f141ebc7963975 Mon Sep 17 00:00:00 2001 From: Antonis Lilis Date: Mon, 27 Apr 2026 16:48:45 +0200 Subject: [PATCH 1/2] ci: Restore changelog-preview workflow with hardened craft 2.26.2 Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/changelog-preview.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 .github/workflows/changelog-preview.yml diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml new file mode 100644 index 0000000000..d7683ec04c --- /dev/null +++ b/.github/workflows/changelog-preview.yml @@ -0,0 +1,18 @@ +name: Changelog Preview +on: + pull_request_target: + types: + - opened + - synchronize + - reopened + - edited + - labeled + - unlabeled +permissions: + contents: read + pull-requests: write + +jobs: + changelog-preview: + uses: getsentry/craft/.github/workflows/changelog-preview.yml@3dc647fee3586e57c7c31eb900fdec7cbb44f23f # v2.26.2 + secrets: inherit From 91bdc07d9d00fea9599e236fc9c145d6debf0a35 Mon Sep 17 00:00:00 2001 From: Antonis Lilis Date: Mon, 27 Apr 2026 17:18:55 +0200 Subject: [PATCH 2/2] ci: Drop unnecessary secrets: inherit from changelog-preview The reusable workflow only references secrets.GITHUB_TOKEN, which is auto-provisioned per job. Inheriting all repo secrets under pull_request_target is unnecessary exposure. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/changelog-preview.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml index d7683ec04c..323506d97a 100644 --- a/.github/workflows/changelog-preview.yml +++ b/.github/workflows/changelog-preview.yml @@ -15,4 +15,3 @@ permissions: jobs: changelog-preview: uses: getsentry/craft/.github/workflows/changelog-preview.yml@3dc647fee3586e57c7c31eb900fdec7cbb44f23f # v2.26.2 - secrets: inherit