Clarify `How the permissions are calculated for a workflow job`

[jsoref]

Code of Conduct

• I have read and agree to the GitHub Docs project's Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/actions/security-guides/automatic-token-authentication#how-the-permissions-are-calculated-for-a-workflow-job

What part(s) of the article would you like to see updated?

Finally,
if the workflow was triggered by a pull request from a forked repository,
and the Send write tokens to workflows from pull requests setting is not selected,
the permissions are adjusted to change any write permissions to read only.

Should be changed to say clarify that if the workflow was triggered by a pull request and the job event is pull_request_target then write permissions will not be changed to read only.

I'm still recovering from a concussion, but here's my first attempt at fixing this text:

Finally,
if the workflow was triggered for the pull_request event (and not the pull_request_target event) by a pull request from a forked repository,
and the Send write tokens to workflows from pull requests setting is not selected,
the permissions are adjusted to change any write permissions to read only.

Additional information

No response

[nguyenalex836]

@jsoref Sorry to hear about the concussion 💛 I'll get this triaged for review ✨

[github-actions]

Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert 👀

[nguyenalex836]

@jsoref Hello! 👋 Our engineering team reviewed, and agreed with your proposed clarification. They also wanted to mention the following -

The suggested text is not quite right though - the read-only behavior applies to all pull request events triggered on a fork PR except pull_request_target

So it’s not correct to say it only applies to pull_request events, it would apply to pull_request_review and the other PR/issue related events

With that adjustment in mind, you or anyone else is welcome to open a PR with this update ✨

CC @jc-clark just for visibility 💛

[Vikranth3140]

Hello @nguyenalex836,

I have read through the conversation and the suggestions from the engineering team. Please review the proposed update for the documentation to clarify the behavior of workflow job permissions. The read-only adjustment applies to all pull request-related events triggered on a fork PR except for the pull_request_target event. This ensures that users understand the specific conditions under which write permissions remain unchanged.

Updated section:

Finally, if the workflow was triggered by a pull request from a forked repository, and the Send write tokens to workflows from pull requests setting is not selected, the permissions are adjusted to change any write permissions to read-only, except for the pull_request_target event. This applies to all pull request-related events, including pull_request_review.

Is this good to go?