security: replace pull_request_target with pull_request (#111)

Author: derekmisler

.github/workflows/review-pr.yml

@@ -7,7 +7,7 @@
 #       types: [created]
 #     pull_request_review_comment: # Captures feedback on review comments for learning
 #       types: [created]
-#     pull_request_target: # Triggers auto-review on PR open; uses base branch context so secrets work with forks
+#     pull_request: # Triggers auto-review on PR open (same-repo branches only; fork PRs use /review)
 #       types: [ready_for_review, opened]
 #
 #   jobs:
@@ -108,12 +108,15 @@ jobs:
   # ==========================================================================
   # AUTOMATIC REVIEW FOR ORG MEMBERS
   # Triggers when a PR is marked ready for review or opened (non-draft)
-  # Only runs for members of the configured org (supports fork-based workflow)
+  # Only runs for members of the configured org; same-repo branches only — fork PRs use /review command
+  # Only runs for same-repo PRs (fork PRs don't have access to secrets with pull_request trigger)
+  # Fork PRs use the /review command instead
   # ==========================================================================
   auto-review:
     if: |
-      github.event_name == 'pull_request_target' &&
-      !github.event.pull_request.draft
+      github.event_name == 'pull_request' &&
+      !github.event.pull_request.draft &&
+      github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
     runs-on: ubuntu-latest
     env:
       HAS_APP_SECRETS: ${{ secrets.CAGENT_REVIEWER_APP_ID != '' }}
@@ -154,7 +157,7 @@ jobs:
               }
             }
 
-      # Safe to checkout PR head because review-pr only READS files (no code execution)
+      # With pull_request, checking out the PR head is standard behavior
       - name: Checkout PR head
         if: steps.membership.outputs.is_member == 'true'
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -342,9 +345,8 @@ jobs:
   # ==========================================================================
   # CAPTURE FEEDBACK
   # Saves feedback data as an artifact for lazy processing. This job
-  # intentionally avoids using secrets so it works for fork PRs in public
-  # repos. The actual AI processing happens during the next review run,
-  # which has full secret access via pull_request_target or issue_comment.
+  # intentionally avoids using secrets. The actual AI processing happens
+  # during the next review run, which has full secret access via issue_comment.
   # ==========================================================================
   capture-feedback:
     if: github.event_name == 'pull_request_review_comment' && github.event.comment.in_reply_to_id

.github/workflows/self-review-pr.yml

@@ -10,7 +10,7 @@ on:
     types: [created]
   pull_request_review_comment:
     types: [created]
-  pull_request_target:
+  pull_request:
     types: [ready_for_review, opened]
 
 permissions:
@@ -23,12 +23,15 @@ jobs:
   # ==========================================================================
   # AUTOMATIC REVIEW FOR ORG MEMBERS
   # Triggers when a PR is marked ready for review or opened (non-draft)
-  # Only runs for members of the docker org (supports fork-based workflow)
+  # Only runs for members of the docker org; auto-reviews same-repo PRs from org members
+  # Only runs for same-repo PRs (fork PRs don't have access to secrets with pull_request trigger)
+  # Fork PRs use the /review command instead
   # ==========================================================================
   auto-review:
     if: |
-      github.event_name == 'pull_request_target' &&
-      !github.event.pull_request.draft
+      github.event_name == 'pull_request' &&
+      !github.event.pull_request.draft &&
+      github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
     runs-on: ubuntu-latest
     env:
       HAS_APP_SECRETS: ${{ secrets.CAGENT_REVIEWER_APP_ID != '' }}
@@ -67,7 +70,7 @@ jobs:
               }
             }
 
-      # Safe to checkout PR head because review-pr only READS files (no code execution)
+      # With pull_request, checking out the PR head is standard behavior
       - name: Checkout PR head
         if: steps.membership.outputs.is_member == 'true'
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -247,10 +250,9 @@ jobs:
   # ==========================================================================
   # CAPTURE FEEDBACK
   # Saves feedback data as an artifact for the workflow_run-triggered
-  # reply-to-feedback workflow. This job intentionally avoids using secrets
-  # so it works for fork PRs in public repos. The reply-to-feedback.yml
-  # workflow runs via workflow_run in the base repo context with full
-  # permissions and secrets.
+  # reply-to-feedback workflow. This job intentionally avoids using secrets.
+  # The reply-to-feedback.yml workflow runs via workflow_run in the base
+  # repo context with full permissions and secrets.
   # ==========================================================================
   capture-feedback:
     if: github.event_name == 'pull_request_review_comment' && github.event.comment.in_reply_to_id

README.md

@@ -54,11 +54,11 @@ on:
     types: [created]
   pull_request_review_comment: # Captures feedback on review comments for learning
     types: [created]
-  pull_request_target: # Triggers auto-review on PR open; uses base branch context so secrets work with forks
+  pull_request: # Triggers auto-review on PR open (same-repo branches only; fork PRs use /review)
     types: [ready_for_review, opened]
 
 permissions:
-  contents: read # This is required to be a top-level permission to give `issue_comment` events (on forked PRs) access to the secrets below.
+  contents: read # Required at top-level to give `issue_comment` events access to the secrets below.
 
 jobs:
   review:
@@ -76,6 +76,8 @@ jobs:
       CAGENT_REVIEWER_APP_PRIVATE_KEY: ${{ secrets.CAGENT_REVIEWER_APP_PRIVATE_KEY }} # GitHub App private key; paired with App ID above
 ```
 
+> **Note:** Auto-review runs on same-repo branches only — fork PRs are automatically skipped (secrets aren't available). For fork PRs, an org member can comment `/review` to trigger a review.
+
 See the [full PR Review documentation](review-pr/README.md) for more details.
 
 ### Using a Local Agent File

review-pr/README.md

@@ -15,11 +15,11 @@ on:
     types: [created]
   pull_request_review_comment: # Captures feedback on review comments for learning
     types: [created]
-  pull_request_target:         # Triggers auto-review on PR open; uses base branch context so secrets work with forks
+  pull_request:                # Triggers auto-review on PR open (same-repo branches only; fork PRs use /review)
     types: [ready_for_review, opened]
 
 permissions:
-  contents: read # This is required to be a top-level permission to give `issue_comment` events (on forked PRs) access to the secrets below.
+  contents: read # Required at top-level to give `issue_comment` events access to the secrets below.
 
 jobs:
   review:
@@ -37,6 +37,8 @@ jobs:
       CAGENT_REVIEWER_APP_PRIVATE_KEY: ${{ secrets.CAGENT_REVIEWER_APP_PRIVATE_KEY }} # GitHub App private key; paired with App ID above
 ```
 
+> **Note:** Auto-review runs on same-repo branches only — fork PRs are automatically skipped (secrets aren't available). For fork PRs, an org member can comment `/review` to trigger a review.
+
 > **Why explicit secrets instead of `secrets: inherit`?** This follows the principle of least privilege — the called workflow only receives the secrets it actually needs, not every secret in your repository. This is the recommended approach for public repos and security-conscious teams.
 
 ### Customizing for your organization
@@ -53,7 +55,7 @@ The workflow automatically handles:
 
 | Trigger                 | Behavior                                                                                |
 | ----------------------- | --------------------------------------------------------------------------------------- |
-| PR opened/ready         | Auto-reviews PRs from your org members (if `CAGENT_ORG_MEMBERSHIP_TOKEN` is configured) |
+| PR opened/ready         | Auto-reviews PRs from your org members (same-repo branches only; fork PRs use `/review`) |
 | `/review` comment       | Manual review on any PR (shows as a check run on the PR if `checks: write` is granted)  |
 | Reply to review comment | Responds in-thread and learns from feedback to improve future reviews                   |
 
@@ -359,7 +361,7 @@ When you reply to a review comment, two things happen in parallel:
 5. The agent also stores learnings in the memory database for future reviews
 
 **Async artifact capture** (`capture-feedback` job):
-1. Saves the feedback as a GitHub Actions artifact (no secrets required — works for fork PRs)
+1. Saves the feedback as a GitHub Actions artifact (no secrets required)
 2. On the next review run, pending feedback artifacts are downloaded and processed into the memory database
 3. Acts as a resilient fallback if the reply agent fails or isn't configured
 
@@ -471,7 +473,7 @@ Each eval file in `review-pr/agents/evals/` contains:
 **No check run showing on the PR?**
 
 - Add `checks: write` to your workflow permissions (it's optional — the review works without it)
-- Check runs are created for manual (`/review`) triggers. Auto-reviews from `pull_request_target` already appear as workflow runs natively
+- Check runs are created for manual (`/review`) triggers. Auto-reviews from `pull_request` already appear as workflow runs natively
 
 **Learning doesn't seem to work?**