From 4f756be41252a3e427339822a3d7c1b6372836a6 Mon Sep 17 00:00:00 2001 From: David Levy Date: Sun, 1 Feb 2026 17:57:53 -0600 Subject: [PATCH 1/2] fix: use pull_request_target for PR title linting Fixes 'Resource not accessible by integration' error for fork PRs. The pull_request_target trigger runs in base repo context, giving the GITHUB_TOKEN sufficient permissions to read PR metadata. This is safe because we do not checkout or execute any PR code. --- .github/workflows/pr-title-lint.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .github/workflows/pr-title-lint.yml diff --git a/.github/workflows/pr-title-lint.yml b/.github/workflows/pr-title-lint.yml new file mode 100644 index 00000000..d4ae43de --- /dev/null +++ b/.github/workflows/pr-title-lint.yml @@ -0,0 +1,19 @@ +name: PR Title Lint + +on: + pull_request_target: + types: [opened, edited, synchronize, reopened] + +permissions: + pull-requests: read + statuses: write + +jobs: + lint: + name: Validate PR Title + runs-on: ubuntu-latest + steps: + - name: Check PR title follows Conventional Commits + uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 41962f3d358282b7489cd96c64b4f46ab9f0e5b2 Mon Sep 17 00:00:00 2001 From: David Levy Date: Sun, 1 Feb 2026 18:23:32 -0600 Subject: [PATCH 2/2] style: add copyright header and version comment Address Copilot review feedback: - Add Microsoft copyright header for consistency - Add version comment (v5.5.3) and verify command for pinned SHA --- .github/workflows/pr-title-lint.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr-title-lint.yml b/.github/workflows/pr-title-lint.yml index d4ae43de..f47a68d9 100644 --- a/.github/workflows/pr-title-lint.yml +++ b/.github/workflows/pr-title-lint.yml @@ -1,3 +1,6 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT license. + name: PR Title Lint on: @@ -14,6 +17,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Check PR title follows Conventional Commits - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 + # Pinned to commit SHA for supply chain security (CWE-829) + # Verify: gh api repos/amannn/action-semantic-pull-request/git/ref/tags/v5.5.3 --jq '.object.sha' + uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}