fix: remove pull request target from cla - BED-7555

[mykeelium]

Remove pull_request_target from cla.

Resolves BED-7555

Summary by CodeRabbit

• Chores
  • Updated the contributor license agreement workflow configuration to use an alternative event trigger type for improved handling of pull request validations.

[coderabbitai]

Walkthrough

The .github/workflows/cla.yml workflow configuration is updated to replace the pull_request_target event trigger with pull_request, including an updated condition check to align with the new event type.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Configuration .github/workflows/cla.yml	Replaces pull_request_target trigger with pull_request and updates the corresponding condition check from event_name == 'pull_request_target' to event_name == 'pull_request'.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested reviewers

• definitelynotagoblin
• StranDutton

Poem

🐰 A trigger swapped with careful care,
From target to request through the air,
The workflow now flows fresh and bright,
Configuration tweaked just right! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: remove pull request target from cla' directly and accurately summarizes the main change: replacing pull_request_target trigger with pull_request in the CLA workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch BED-7555

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/cla.yml:
- Around line 5-6: The workflow runs the "Organization Members" step
unconditionally but uses secrets.READ_MEMBERS_SCOPE which is unavailable to
forked pull_request events; add a job-level conditional so the job (or the
"Organization Members" step) only runs when the event is an issue_comment or
when the pull_request originates from the same repo: add an if condition that
checks github.event_name == 'issue_comment' || (github.event_name ==
'pull_request' && github.event.pull_request.head.repo.full_name ==
github.repository) and apply it to the job or the "Organization Members" step
that uses secrets.READ_MEMBERS_SCOPE to prevent running on forked PRs.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 58c240d and 43f5345.

📒 Files selected for processing (1)

• .github/workflows/cla.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat .github/workflows/cla.yml

Repository: SpecterOps/AzureHound

Length of output: 1828

---

🏁 Script executed:

rg -n '^\s*pull_request:|READ_MEMBERS_SCOPE|REPO_SCOPE|head\.repo\.full_name|github\.repository' .github/workflows/cla.yml

Repository: SpecterOps/AzureHound

Length of output: 396

---

Guard pull_request executions that require secrets.

The "Organization Members" step runs unconditionally and uses secrets.READ_MEMBERS_SCOPE, but pull_request triggers from forks don't expose repository secrets. This causes the workflow to fail for external contributor PRs. Add a job-level condition to allow the workflow to run only on issue_comment events (which have secrets) or same-repository pull_request events:

 jobs:
   CLAssistant:
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest

This preserves CLA functionality for issue comments while preventing secret exposure issues on fork PRs.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/cla.yml around lines 5 - 6, The workflow runs the
"Organization Members" step unconditionally but uses secrets.READ_MEMBERS_SCOPE
which is unavailable to forked pull_request events; add a job-level conditional
so the job (or the "Organization Members" step) only runs when the event is an
issue_comment or when the pull_request originates from the same repo: add an if
condition that checks github.event_name == 'issue_comment' || (github.event_name
== 'pull_request' && github.event.pull_request.head.repo.full_name ==
github.repository) and apply it to the job or the "Organization Members" step
that uses secrets.READ_MEMBERS_SCOPE to prevent running on forked PRs.