Fixing semver check (#383)

We actually need to use `pull_request_target`. This is how delta-rs [does it](https://github.com/delta-io/delta-rs/blob/main/.github/workflows/dev_pr.yml) and is also what github support suggests. We do take a risk that if someone exploits `cargo semver-checks` they could execute code against our repo. That doesn't seem like a high risk. The check won't run here as in this case we really do need it to be merged to main.
delta-incubator · Oct 9, 2024 · 1c4b9ce · 1c4b9ce
1 parent 4b602ae
commit 1c4b9ce
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/.github/workflows/semver-checks.yml b/.github/workflows/semver-checks.yml
@@ -1,6 +1,13 @@
 name: semver-checks
 
-on: [pull_request]
+# Trigger when a PR is opened or changed
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+      - reopened
 
 env:
   CARGO_TERM_COLOR: always
@@ -10,6 +17,7 @@ jobs:
   check_if_pr_breaks_semver:
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       pull-requests: write
     steps:
       - uses: actions/checkout@v4