From 2a87687483f3cbd590ccfb201b290099cc02dbfb Mon Sep 17 00:00:00 2001
From: Lex Christopherson <lex@glittercowboy.com>
Date: Thu, 19 Mar 2026 21:23:15 -0600
Subject: [PATCH] fix: use pull_request_target so AI triage has secret access
 on PRs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

pull_request events from forks/branches cannot access repo secrets,
causing 401 auth failures on every PR triage. pull_request_target runs
in the base repo context. Safe because the workflow only reads event
payload data and sparse-checks base branch docs — no PR code executes.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ai-triage.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ai-triage.yml b/.github/workflows/ai-triage.yml
index e97b417e3..60615fca5 100644
--- a/.github/workflows/ai-triage.yml
+++ b/.github/workflows/ai-triage.yml
@@ -3,7 +3,7 @@ name: AI Triage
 on:
   issues:
     types: [opened]
-  pull_request:
+  pull_request_target:
     types: [opened]
 
 permissions: