From cd8ddb81e15e2c646fec6131f24c8138508fc288 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 20 Aug 2025 22:58:29 +0000
Subject: [PATCH] Fix GitHub workflow secret access from forked PRs

Co-authored-by: netmindz <442066+netmindz@users.noreply.github.com>
---
 .github/workflows/pr-merge.yaml | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/pr-merge.yaml b/.github/workflows/pr-merge.yaml
index 5f216100c..42ce6f157 100644
--- a/.github/workflows/pr-merge.yaml
+++ b/.github/workflows/pr-merge.yaml
@@ -1,12 +1,13 @@
     name: Notify Discord on PR Merge
     on:
       workflow_dispatch:
-      pull_request:
+      pull_request_target:
         types: [closed]
 
     jobs:
       notify:
         runs-on: ubuntu-latest
+        if: github.event.pull_request.merged == true
         steps:
         - name: Get User Permission
           id: checkAccess
@@ -23,11 +24,6 @@
             echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
             echo "Job originally triggered by ${{ github.actor }}"
             exit 1
-        - name: Checkout code
-          uses: actions/checkout@v3
-          with:
-            ref: ${{  github.event.pull_request.head.sha }} # This is dangerous without the first access check
         - name: Send Discord notification
-          # if: github.event.pull_request.merged == true
           run: |
             curl -H "Content-Type: application/json" -d '{"content": "Pull Request ${{ github.event.pull_request.number }} merged by ${{ github.actor }}"}' ${{ secrets.DISCORD_WEBHOOK_BETA_TESTERS }}