From 6bd8597074cb0fa27b415f3d2664c62b395210b9 Mon Sep 17 00:00:00 2001
From: Tobias Wilken <tooangel@tooangel.de>
Date: Sat, 24 Jan 2026 09:30:21 +0100
Subject: [PATCH] fix: restore pull_request_target for fork PR secrets access

The workflow was accidentally regressed to use pull_request instead of
pull_request_target when PR #3 was squash merged. This prevented fork PRs
from accessing repository secrets needed for the migrate app authentication.

Changes:
- Restore pull_request_target trigger
- Add sparse checkout of REPOSITORIES.md from PR
- Keep trusted scripts from main branch for security
- Maintain MIGRATE_APP_ID/PRIVATE_KEY env vars from PR #28
---
 .github/workflows/drift-detection.yml | 29 +++++++++++++++++++++------
 1 file changed, 23 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/drift-detection.yml b/.github/workflows/drift-detection.yml
index a5c15e9..af04468 100644
--- a/.github/workflows/drift-detection.yml
+++ b/.github/workflows/drift-detection.yml
@@ -1,7 +1,9 @@
 name: Repository Drift Detection
 
+# Use pull_request_target to run trusted workflow from base repository
+# This allows access to secrets while running code from main branch
 on:
-  pull_request:
+  pull_request_target:
 
 jobs:
   detect-drift:
@@ -12,8 +14,25 @@ jobs:
       contents: read
 
     steps:
-      - name: Checkout code
+      # Checkout the base repository (main branch) - trusted code
+      - name: Checkout base repository
         uses: actions/checkout@v4
+        with:
+          ref: main
+
+      # Checkout PR's REPOSITORIES.md to see what changes are proposed
+      - name: Checkout PR REPOSITORIES.md
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          sparse-checkout: |
+            REPOSITORIES.md
+          sparse-checkout-cone-mode: false
+          path: pr-files
+
+      # Copy PR's REPOSITORIES.md to working directory
+      - name: Use PR's REPOSITORIES.md
+        run: cp pr-files/REPOSITORIES.md REPOSITORIES.md
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
@@ -63,8 +82,6 @@ jobs:
           cat sync-preview.md >> $GITHUB_STEP_SUMMARY
 
       - name: Comment PR with drift report and sync preview
-        # Skip commenting on fork PRs (no write permissions), but drift report is available in workflow summary above
-        if: github.event.pull_request.head.repo.full_name == github.repository
         uses: actions/github-script@v7
         with:
           script: |
@@ -107,7 +124,7 @@ jobs:
       - name: Check drift detection result
         if: steps.drift.outputs.exit_code != '0'
         run: |
-          echo "❌ Transfer blocked: worlddriven lacks admin permission on source repository"
+          echo "❌ Transfer blocked: worlddriven-migrate app not installed on source repository"
           echo "Review the drift report in the workflow summary above"
-          echo "Grant worlddriven admin access to the source repository to unblock"
+          echo "Install the worlddriven-migrate app on the source repository to unblock"
           exit 1