diff --git a/.github/workflows/pr-conflict-checker.yml b/.github/workflows/pr-conflict-checker.yml index ff3871bf73..e0aba02d48 100644 --- a/.github/workflows/pr-conflict-checker.yml +++ b/.github/workflows/pr-conflict-checker.yml @@ -37,8 +37,7 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 1 - # zizmor: ignore[artipacked] - persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch + persist-credentials: false # No write token in the untrusted PR-head tree; public repo so base fetch/changed-files work unauthenticated - name: Fetch PR base ref for tj-actions/changed-files env: diff --git a/.github/workflows/pr-merged.yml b/.github/workflows/pr-merged.yml index 2a1f3d77f1..fc88a69e08 100644 --- a/.github/workflows/pr-merged.yml +++ b/.github/workflows/pr-merged.yml @@ -56,6 +56,6 @@ jobs: "PROWLER_PR_BODY": ${{ toJson(github.event.pull_request.body) }}, "PROWLER_PR_URL": ${{ toJson(github.event.pull_request.html_url) }}, "PROWLER_PR_MERGED_BY": "${{ github.event.pull_request.merged_by.login }}", - "PROWLER_PR_BASE_BRANCH": "${{ github.event.pull_request.base.ref }}", - "PROWLER_PR_HEAD_BRANCH": "${{ github.event.pull_request.head.ref }}" + "PROWLER_PR_BASE_BRANCH": ${{ toJson(github.event.pull_request.base.ref) }}, + "PROWLER_PR_HEAD_BRANCH": ${{ toJson(github.event.pull_request.head.ref) }} }