From e3727e61c176ca16a2827f904018bde534b43775 Mon Sep 17 00:00:00 2001
From: Ryan Mulligan <ryan@ryantm.com>
Date: Tue, 12 May 2026 05:51:36 -0700
Subject: [PATCH] ci: remove pull_request_target trigger from release-drafter

Removes the pull_request_target event trigger from release-drafter to
eliminate exposure of the supply-chain-attack pattern exploited in the
TanStack NPM compromise. See:
https://tanstack.com/blog/npm-supply-chain-compromise-postmortem

Autolabeler will no longer run on PRs from forks; release notes are
still drafted on push to main.
---
 .github/workflows/release-drafter.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
index dd646d22..3089ae37 100644
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -9,9 +9,6 @@ on:
   pull_request:
     # Only following types are handled by the action, but one can default to all as well
     types: [opened, reopened, synchronize]
-  # pull_request_target event is required for autolabeler to support PRs from forks
-  pull_request_target:
-    types: [opened, reopened, synchronize]
 
 permissions:
   contents: read