What privileges do PR's have when they execute in our github actions ?

[davidkel]

They should not have access to any publishing tokens, if they do it opens up the possibility of credentials being stolen and they do not need any publishing credentials.

Note sure if PRs need access to any access tokens except read access for github to be able to pull the repo and the PR branch

This is how Shai-Hulud 2.0 came about see https://www.theregister.com/2025/11/28/posthog_shaihulud/