From c128378e498d78fb0bebfedfe6ffa5a458a21bfd Mon Sep 17 00:00:00 2001
From: IQBAL HASAN <iqbalhasan.dev@gmail.com>
Date: Sun, 12 Apr 2026 10:38:51 +0600
Subject: [PATCH 1/2] fix: enable code quality workflow on pull requests

---
 .github/workflows/code-quality.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml
index e31d000..2a02dad 100644
--- a/.github/workflows/code-quality.yml
+++ b/.github/workflows/code-quality.yml
@@ -13,8 +13,8 @@ on:
       - '.github/workflows/code-quality.yml'
       - 'tsconfig.json'
       - 'package.json'
-  # pull_request:
-  #   branches: [main, develop]
+  pull_request:
+    branches: [main, develop]
 
 permissions:
   contents: write

From 27a0d946923b1273e4c3d47967a21e174fc14737 Mon Sep 17 00:00:00 2001
From: IQBAL HASAN <iqbalhasan.dev@gmail.com>
Date: Sun, 12 Apr 2026 10:44:49 +0600
Subject: [PATCH 2/2] fix: isolate write permissions and add format check for
 PRs

- Set workflow-level permissions to contents: read (least-privilege for PR runs)
- Split auto-format/commit into a separate job gated to push only, with
  job-level contents: write
- Remove ref: github.head_ref from checkout (broken on push events and fork PRs)
- Add format:check step to quality-check job so formatting is validated on PRs
---
 .github/workflows/code-quality.yml | 35 ++++++++++++++++++++++--------
 1 file changed, 26 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml
index 2a02dad..6b488ba 100644
--- a/.github/workflows/code-quality.yml
+++ b/.github/workflows/code-quality.yml
@@ -17,7 +17,7 @@ on:
     branches: [main, develop]
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   quality-check:
@@ -27,9 +27,6 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
-        with:
-          ref: ${{ github.head_ref }}
-          token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Setup Node.js
         uses: actions/setup-node@v6
@@ -40,16 +37,36 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
-      # Auto-fix formatting on push to main/develop (not on PRs)
-      - name: Format code
-        if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop')
-        run: npx prettier --write .
+      - name: Check formatting
+        run: npm run format:check
 
       - name: Run ESLint
         run: npm run lint
 
+  auto-format:
+    name: Auto Format
+    if: github.event_name == 'push'
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Format code
+        run: npm run format
+
       - name: Commit formatting changes
-        if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop')
         uses: stefanzweifel/git-auto-commit-action@v7
         with:
           commit_message: 'style: fix code formatting [skip ci]'