chore: Update publish.yml (#908)

* replace `pull_request_target` usage with `pull_request` * replace checkout of ref to checkout of sha * general security improvements
npm · Oct 21, 2024 · 60d829a · 60d829a
1 parent e394162
commit 60d829a
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - main
-  pull_request_target:
+  pull_request:
   workflow_dispatch:
   workflow_call:
 
@@ -16,14 +16,14 @@ jobs:
     steps:
 
     - name: Checkout PR
-      if: ${{ github.event_name == 'pull_request_target' }}
+      if: ${{ github.event_name == 'pull_request' }}
       uses: actions/checkout@v3
       with:
-        ref: ${{ github.event.pull_request.head.ref }}
+        ref: ${{ github.event.pull_request.head.sha }}
         repository: ${{ github.event.pull_request.head.repo.full_name }}
 
     - name: Checkout
-      if: ${{ github.event_name != 'pull_request_target' }}
+      if: ${{ github.event_name != 'pull_request' }}
       uses: actions/checkout@v3
       with:
         ref: main