Make PR validation safe for external forks

[piatoss3612]

Summary

• Change PR validation to run on pull_request_target from the trusted base checkout instead of executing PR-controlled workflow/code by default.
• Add a safe validation script that overlays only registry data/image changes from the PR head before running the existing validator.
• Require maintainer review for external PRs that touch validator, dependency, or workflow files such as .github/**, src/**, package.json, or yarn.lock.
• Classify transient public price endpoint failures separately from hard validation errors and report validation results through a sticky PR comment/job summary.

Why

First-time external contributors currently need a maintainer to approve the workflow before they can get validation feedback. This keeps the common data-only registry PR path automatic while avoiding untrusted PR code execution.

Validation

• bash -n .github/scripts/safe-pr-validation.sh
• git diff --check
• yarn tsc --noEmit --pretty false
• yarn lint:test
• YAML parse check for .github/workflows/pull-request-validation.yml
• Dry-run against real PR refs without posting comments:
  • PR Add Ethiq EVM chain configs #1399: dangerous files blocked with Maintainer review required
  • PR Update lumen.json #1488: data-only validation passed
  • PR feat: Add ByteNetwork Configuration #1489: hard validation failure summarized correctly
  • forced bad PRICE_URL: price endpoint failure matched inconclusive classification

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
keplr-chain-registry	Ready	Preview, Comment	Jun 8, 2026 7:34am