From bc0db22949133199d1f81e2f651280a338dd6321 Mon Sep 17 00:00:00 2001
From: Kayla Reopelle <kreopelle@newrelic.com>
Date: Wed, 3 Jun 2026 13:56:59 -0700
Subject: [PATCH] ci: Fix CodeQL warnings for renovate-semconv

Two concerns:
1. pull_request_target can be run with
write permissions on forks and access to secrets. Since all branches
referenced are in the same repo, we can just use pull_request
2. Script injection could hijack github.base_ref to do bad things
---
 .github/workflows/renovate-semconv.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/renovate-semconv.yml b/.github/workflows/renovate-semconv.yml
index 0a3b463a8..96b4b7a18 100644
--- a/.github/workflows/renovate-semconv.yml
+++ b/.github/workflows/renovate-semconv.yml
@@ -1,7 +1,7 @@
 name: Renovate Semantic Conventions Post-Update
 
 on:
-  pull_request_target:
+  pull_request:
     types: [opened, synchronize, edited]
     paths:
       - 'semantic_conventions/Rakefile'
@@ -32,9 +32,11 @@ jobs:
 
       - name: Check if SPEC_VERSION changed
         id: check_changes
+        env:
+          BASE_REF: ${{ github.base_ref }}
         run: |
-          git fetch origin ${{ github.base_ref }}
-          if git diff origin/${{ github.base_ref }} HEAD -- semantic_conventions/Rakefile | grep -q "SPEC_VERSION"; then
+          git fetch origin "$BASE_REF"
+          if git diff "origin/$BASE_REF" HEAD -- semantic_conventions/Rakefile | grep -q "SPEC_VERSION"; then
             echo "changed=true" >> $GITHUB_OUTPUT
           else
             echo "changed=false" >> $GITHUB_OUTPUT