HDFGroup · brtnfld · Jun 9, 2026 · Jun 6, 2026 · Jun 8, 2026 · Jun 8, 2026
@@ -202,10 +202,6 @@ module.exports = async function run({ github, context, core }) {
   //   Covers: hdf5.h (umbrella), H5*public.h / H5*develop.h (per-module),
   //   VFD driver headers included by hdf5.h, and VOL connector headers.
   //
-  // NOTE: Fork PRs (head.repo != base.repo) are intentionally excluded.
-  //   They run with a read-only token and cannot post comments or request
-  //   reviewers. Fork coverage would require a pull_request_target job.
-  //
   // NOTE: Team owners (@org/team) in CODEOWNERS are not supported.
   //   Only individual GitHub logins are handled. If teams are added,
   //   extend parsing and reviewer requests to use team_reviewers.

@@ -5,9 +5,14 @@ name: Review Checklist
 #
 # Reviewer lists are derived entirely from .github/CODEOWNERS — no duplication.
 # To add an area or change owners, edit only CODEOWNERS.
+#
+# Uses pull_request_target so the workflow runs with the base repo's full token
+# even for fork PRs. The checkout and script execution always use the base
+# branch (develop), never the fork's code — this is the safe posture for
+# pull_request_target.
 
 on:
-  pull_request:
+  pull_request_target:
     types: [opened, synchronize, reopened]
     branches: [develop]
   pull_request_review:
@@ -25,12 +30,13 @@ permissions:
 jobs:
   checklist:
     runs-on: ubuntu-latest
-    # Only run on PRs targeting develop from within the same repo (not forks).
-    # For review events, only run on approvals targeting develop.
+    # Run on all PRs targeting develop, including those from forks.
+    # pull_request_target always executes this workflow from the base repo
+    # (HDFGroup/hdf5) with a full write token — it never runs code from the
+    # fork. For review events, only run on approvals targeting develop.
     if: |
       github.event.pull_request.base.ref == 'develop' &&
-      github.event.pull_request.head.repo.full_name == github.repository &&
-      (github.event_name == 'pull_request' ||
+      (github.event_name == 'pull_request_target' ||
        (github.event_name == 'pull_request_review' &&
         github.event.review.state == 'approved'))
 

@@ -0,0 +1,35 @@
+name: zizmor
+
+# Static security analysis for GitHub Actions workflows.
+# Findings appear as inline annotations on PRs and in the Security tab.
+# Runs zizmor directly via pip to avoid a third-party action dependency.
+
+on:
+  push:
+    branches: [develop]
+    paths: ['.github/**']
+  pull_request:
+    branches: [develop]
+    paths: ['.github/**']
+
+permissions: {}
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+      - run: pip install zizmor==1.25.2
+      - run: zizmor --format sarif . > zizmor-results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - uses: github/codeql-action/upload-sarif@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3.36.2
+        if: always()
+        with:
+          sarif_file: zizmor-results.sarif
+          category: zizmor