Is pull_request_target required for forks (doc may be outdated)

[davidhsingyuchen]

Describe the bug

From the pull_request section in Event triggers:

If this configuration is used and a pull request from a fork is opened, you'll encounter an error as the GitHub token environment parameter is not available.

However, according to Github documentation, the main difference between pull_request_target and pull_request is that the former also gives write permissions, which does not seem to be required by action-semantic-pull-request.

Furthermore, a run triggered from a fork did finish successfully even though it's pull_request instead of pull_reuqest_target in the corresponding workflow file.

As a result, the documentation may be outdated.

To reproduce

1. Use this action and configure pull_request to be the triggering events.
2. Create a PR from a fork. The check should not work according to the documentation, but it works.

Expected behavior

Updated documentation.

[amannn]

Hey, and thank you for raising this question! There's a chance that we could get rid of the token, maybe that would allow us to recommend a single event trigger in the future: https://github.com/amannn/action-semantic-pull-request/issues/218. It's likely possible that the docs became outdated at some point, unfortunately I don't have the time currently to look into this in detail.

[lucasgonze]

I'd like to vote for this issue. The use of pull_request_target triggers Dangerous-Workflow in OpenSSF Scorecard because it permits a malicious repo or action to take advantage of the write permission. https://securitylab.github.com/research/github-actions-preventing-pwn-requests/