From eb5e3d2d4910fe366e5c9953859bf2e2df3778f8 Mon Sep 17 00:00:00 2001
From: Ivan De Marino <ivan.demarino@hashicorp.com>
Date: Wed, 9 Mar 2022 17:12:47 +0000
Subject: [PATCH] Trying `pull_request_target` trigger event for
 `add-content-to-project` GHA workflow

---
 .github/workflows/add-content-to-project.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/add-content-to-project.yml b/.github/workflows/add-content-to-project.yml
index 908d06b..f7e7513 100644
--- a/.github/workflows/add-content-to-project.yml
+++ b/.github/workflows/add-content-to-project.yml
@@ -5,9 +5,12 @@ name: "Add Issues/PRs to TF Provider DevEx team board"
 on:
   issues:
     types: [opened, reopened]
-  pull_request:
+  pull_request_target:
     # NOTE: The way content is added to project board is equivalent to an "upsert".
     # Calling it multiple times will be idempotent.
+    #
+    # See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+    # to see the reasoning behind using `pull_request_target` instead of `pull_request`
     types: [opened, reopened, ready_for_review]
 
 jobs: