From 6343eaeb4f26c0a9c61a8490e120b7e262547d02 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?F=C3=A9lix=20Malfait?= <felix.malfait@gmail.com>
Date: Wed, 30 Apr 2025 12:31:56 +0200
Subject: [PATCH] Change workflow preview env to pull_request_target (#11810)

It didn't work with external contributors
---
 .github/workflows/preview-env-dispatch.yaml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/preview-env-dispatch.yaml b/.github/workflows/preview-env-dispatch.yaml
index 4dc32652a..0316729e8 100644
--- a/.github/workflows/preview-env-dispatch.yaml
+++ b/.github/workflows/preview-env-dispatch.yaml
@@ -1,13 +1,20 @@
 name: 'Preview Environment Dispatch'
 
 on:
-  pull_request:
+  # Using pull_request_target instead of pull_request to have access to secrets for external contributors
+  # Security note: This is safe because we're only using the repository-dispatch action with limited scope
+  # and not checking out or running any code from the external contributor's PR
+  pull_request_target:
     types: [opened, synchronize, reopened, labeled]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  actions: write
+
 jobs:
   changed-files-check:
     uses: ./.github/workflows/changed-files.yaml