From 7fd0c20d605f8822adc54d00fc2b2ce3253803f9 Mon Sep 17 00:00:00 2001
From: Ryan Mulligan <ryan@ryantm.com>
Date: Tue, 12 May 2026 05:51:19 -0700
Subject: [PATCH] ci: remove pull_request_target trigger from release-drafter

Removes the pull_request_target trigger from the release-drafter workflow to
eliminate exposure to the supply-chain-attack pattern abused in the TanStack
NPM compromise.

See: https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
---
 .github/workflows/release-drafter.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
index 017ce45..8619399 100644
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -10,9 +10,6 @@ on:
   pull_request:
     # Only following types are handled by the action, but one can default to all as well
     types: [opened, reopened, synchronize]
-  # pull_request_target event is required for autolabeler to support PRs from forks
-  pull_request_target:
-    types: [opened, reopened, synchronize]
 
 permissions:
   contents: read