From 3b3c8bb5385963e9f6b994a54db987a49af94a28 Mon Sep 17 00:00:00 2001
From: jdx <216188+jdx@users.noreply.github.com>
Date: Tue, 12 May 2026 09:30:22 -0400
Subject: [PATCH] ci: remove pull_request_target workflow (#469)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Summary
- Deletes the only workflow in this repo triggered by
`pull_request_target`.
- `pull_request_target` runs in the context of the base repo (with
secrets / write tokens) on PRs from forks, which is risky. The workflow
only validated PR titles; not worth the trust footprint.

## Test plan
- [ ] None — workflow file removal only.

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk: deletes a GitHub Actions workflow only; no application code
or runtime behavior changes, and it reduces exposure from
`pull_request_target` workflows.
>
> **Overview**
> Removes the `semantic-pr-lint` GitHub Actions workflow that ran on
`pull_request_target` to validate PR titles.
>
> This eliminates the repo’s only `pull_request_target` workflow,
reducing the trust/secrets footprint for PRs (especially from forks).
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
907019cdfa4a19cb11694db8aa55776d0e9e0edb. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/semantic-pr-lint.yml | 19 -------------------
 1 file changed, 19 deletions(-)
 delete mode 100644 .github/workflows/semantic-pr-lint.yml

diff --git a/.github/workflows/semantic-pr-lint.yml b/.github/workflows/semantic-pr-lint.yml
deleted file mode 100644
index 9740186..0000000
--- a/.github/workflows/semantic-pr-lint.yml
+++ /dev/null
@@ -1,19 +0,0 @@
-name: semantic-pr-lint
-
-on:
-  pull_request_target:
-    types:
-      - opened
-      - edited
-      - reopened
-
-jobs:
-  main:
-    name: Validate PR title
-    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: read
-    steps:
-      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}