From e604f65be8eea7153320d86a5ed2b325f0bc430d Mon Sep 17 00:00:00 2001
From: Adam Haglund <adam@haglund.dev>
Date: Tue, 2 Jun 2026 10:42:19 +0200
Subject: [PATCH 1/2] Update README with pull_request_target usage guidelines

Add caution and warning notes regarding the use of pull_request_target event.
---
 pr-status/README.md | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/pr-status/README.md b/pr-status/README.md
index 7750eb4d..ef297301 100644
--- a/pr-status/README.md
+++ b/pr-status/README.md
@@ -2,7 +2,16 @@
 
 This action generates the changesets status in PRs, e.g. whether it has changeset files and which packages will be released if the PR is merged.
 
-It requires the repo to be checked out, and automatically fetches the PR head ref into a temporary detached worktree in order to infer the changed files and packages. It also requires the [`pull_request_target`](https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target) event to be triggered in order to have permissions to comment on the PR and to work in PRs from forks.
+It requires the repo to be checked out, and automatically fetches the PR head ref into a temporary detached worktree in order to infer the changed files and packages.
+
+> [!CAUTION]
+> **This action uses `pull_request_target` by default to support PRs from forks.**
+> 
+> Generally, **do not execute any code except for GitHub Actions** when using the `pull_request_target` event.
+> 
+> The example below only _checks out_ and does not _run_ any code from the PR.
+> 
+> Read more about the `pull_request_target` event in the [GitHub documentation](https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target).
 
 You can also use the [`pull_request`](https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request) event if you prefer to lock permissions down and not run for PRs from forks. Make sure to add an if check to prevent the action from failing in fork PRs:
 
@@ -15,9 +24,6 @@ jobs:
 
 See the [action metadata](action.yml) for details on the inputs and outputs.
 
-> [!WARNING]
-> **Do not run untrusted code** when using the `pull_request_target` event. The example below only checks out code and does not run any code from the PR. Read more about the `pull_request_target` event in the [GitHub documentation](https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target).
-
 ## Example setup
 
 ```yaml
@@ -27,6 +33,8 @@ name: Comment Changesets status in PRs
 on:
   pull_request_target:
 
+permissions: {} # require explicitly stating all permissions in each job
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true

From 2df4dde2adcd4f07a0668c5b532be5cf2ec8da37 Mon Sep 17 00:00:00 2001
From: Adam Haglund <adam@haglund.dev>
Date: Tue, 2 Jun 2026 10:47:57 +0200
Subject: [PATCH 2/2] Update README with pull_request_target caution

Added caution about using pull_request_target and alternative options.
---
 pr-status/README.md | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/pr-status/README.md b/pr-status/README.md
index ef297301..55dc113a 100644
--- a/pr-status/README.md
+++ b/pr-status/README.md
@@ -4,13 +4,15 @@ This action generates the changesets status in PRs, e.g. whether it has changese
 
 It requires the repo to be checked out, and automatically fetches the PR head ref into a temporary detached worktree in order to infer the changed files and packages.
 
+See the [action metadata](action.yml) for details on the inputs and outputs.
+
 > [!CAUTION]
 > **This action uses `pull_request_target` by default to support PRs from forks.**
-> 
+>
 > Generally, **do not execute any code except for GitHub Actions** when using the `pull_request_target` event.
-> 
+>
 > The example below only _checks out_ and does not _run_ any code from the PR.
-> 
+>
 > Read more about the `pull_request_target` event in the [GitHub documentation](https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target).
 
 You can also use the [`pull_request`](https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request) event if you prefer to lock permissions down and not run for PRs from forks. Make sure to add an if check to prevent the action from failing in fork PRs:
@@ -22,7 +24,7 @@ jobs:
     # ...
 ```
 
-See the [action metadata](action.yml) for details on the inputs and outputs.
+You can also use the [Changesets Bot](https://github.com/apps/changeset-bot) if you don't want an extra action in your repo, or are worried about the `pull_request_target` event.
 
 ## Example setup