fix(ci): use pull_request_target for PR write access

Thomo1318 · Thomo1318 · commit bc1f592cdd21 · 2026-01-03T23:21:54.000+11:00
GITHUB_TOKEN has restricted permissions on pull_request events
diff --git a/.github/workflows/badgetizr.yml b/.github/workflows/badgetizr.yml
@@ -1,7 +1,7 @@
 name: Badgetizr PR Badges
 
 on:
-  pull_request:
+  pull_request_target:
     types:
       - opened
       - reopened
@@ -13,6 +13,11 @@ concurrency:
   group: badgetizr-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+
 jobs:
   badgetizr-start:
     # Skip Dependabot PRs
@@ -23,20 +28,29 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Clone Badgetizr
+        run: |
+          git clone --depth 1 --branch 3.0.2 https://github.com/aiKrice/homebrew-badgetizr.git /tmp/badgetizr
+          chmod +x /tmp/badgetizr/badgetizr
+
+      - name: Install dependencies
+        run: |
+          sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
+          sudo chmod +x /usr/local/bin/yq
+
       - name: Badgetizr - Start
-        uses: aiKrice/homebrew-badgetizr@3.0.2
-        with:
-          pr_id: ${{ github.event.pull_request.number }}
-          configuration: .badgetizr.yml
-          pr_destination_branch: ${{ github.event.pull_request.base.ref }}
-          pr_build_number: ${{ github.run_id }}
-          pr_build_url: "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-          ci_status: "started"
-          ci_text: "Running CI"
+        run: |
+          cd /tmp/badgetizr
+          ./badgetizr -c $GITHUB_WORKSPACE/.badgetizr.yml \
+            --pr-id=${{ github.event.pull_request.number }} \
+            --pr-destination-branch=${{ github.event.pull_request.base.ref }} \
+            --pr-build-number=${{ github.run_id }} \
+            --pr-build-url="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
+            --ci-status=started \
+            --ci-text="Running CI"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-  # Wait for other CI jobs to complete
   badgetizr-result:
     needs: [badgetizr-start]
     runs-on: ubuntu-latest
@@ -46,28 +60,38 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Clone Badgetizr
+        run: |
+          git clone --depth 1 --branch 3.0.2 https://github.com/aiKrice/homebrew-badgetizr.git /tmp/badgetizr
+          chmod +x /tmp/badgetizr/badgetizr
+
+      - name: Install dependencies
+        run: |
+          sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
+          sudo chmod +x /usr/local/bin/yq
+
       - name: Badgetizr - Success
-        if: ${{ success() }}
-        uses: aiKrice/homebrew-badgetizr@3.0.2
-        with:
-          pr_id: ${{ github.event.pull_request.number }}
-          configuration: .badgetizr.yml
-          pr_destination_branch: ${{ github.event.pull_request.base.ref }}
-          pr_build_number: ${{ github.run_id }}
-          pr_build_url: "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-          ci_status: "passed"
+        if: ${{ needs.badgetizr-start.result == 'success' }}
+        run: |
+          cd /tmp/badgetizr
+          ./badgetizr -c $GITHUB_WORKSPACE/.badgetizr.yml \
+            --pr-id=${{ github.event.pull_request.number }} \
+            --pr-destination-branch=${{ github.event.pull_request.base.ref }} \
+            --pr-build-number=${{ github.run_id }} \
+            --pr-build-url="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
+            --ci-status=passed
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Badgetizr - Failed
-        if: ${{ failure() }}
-        uses: aiKrice/homebrew-badgetizr@3.0.2
-        with:
-          pr_id: ${{ github.event.pull_request.number }}
-          configuration: .badgetizr.yml
-          pr_destination_branch: ${{ github.event.pull_request.base.ref }}
-          pr_build_number: ${{ github.run_id }}
-          pr_build_url: "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-          ci_status: "failed"
+        if: ${{ needs.badgetizr-start.result != 'success' }}
+        run: |
+          cd /tmp/badgetizr
+          ./badgetizr -c $GITHUB_WORKSPACE/.badgetizr.yml \
+            --pr-id=${{ github.event.pull_request.number }} \
+            --pr-destination-branch=${{ github.event.pull_request.base.ref }} \
+            --pr-build-number=${{ github.run_id }} \
+            --pr-build-url="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
+            --ci-status=failed
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/test-badgetizr.md b/test-badgetizr.md
@@ -0,0 +1 @@
+# Test PR
