From 033c3bc8b22326f9e120bb2f99a0ff04e19af556 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?F=C3=A9lix=20Malfait?= <felix.malfait@gmail.com>
Date: Thu, 23 Nov 2023 15:39:34 +0100
Subject: [PATCH] Update danger.js to pull_request_target (#2675)

---
 .github/workflows/ci-utils.yaml | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/ci-utils.yaml b/.github/workflows/ci-utils.yaml
index 8bbb0444b..de3425ab7 100644
--- a/.github/workflows/ci-utils.yaml
+++ b/.github/workflows/ci-utils.yaml
@@ -3,7 +3,18 @@ on:
   push:
     branches:
       - main
-  pull_request:
+  # it's usually not recommended to use pull_request_target
+  # but we consider it's safe here if we keep the same steps
+  # see: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ 
+  # and: https://github.com/facebook/react-native/pull/34370/files
+  pull_request_target:
+permissions:
+  actions: write
+  checks: write
+  contents: write
+  issues: write
+  pull-requests: write
+  statuses: write
 jobs:
   danger-js:
     runs-on: ubuntu-latest
@@ -19,13 +30,7 @@ jobs:
           node-version: "18"
       - name: Utils / Install Dependencies
         run: cd packages/twenty-utils && yarn
-      - name: Set danger env
-        run: |
-          part1='github_pat_11BCSUEQA0Vd4ajqgGdujc_JJYRUxKfcbMtUn'
-          part2='z89DFTksGNXqOwLnmNv0VwMpQdc47T5BTGG2GOUbm6L8J'
-          echo "DANGER_GITHUB_API_TOKEN=${part1}${part2}" >> $GITHUB_ENV
       - name: Utils / Run Danger.js
-        run: cd packages/twenty-utils && yarn danger ci
+        run: cd packages/twenty-utils && yarn danger ci --use-github-checks --failOnErrors
         env:
-          DANGER_GITHUB_API_TOKEN: ${{ env.DANGER_GITHUB_API_TOKEN }}
-
+          DANGER_GITHUB_API_TOKEN: ${{ github.token }}
\ No newline at end of file