From cbc3df38fd5526d9a2fba2daeb238bdd79d3eb6d Mon Sep 17 00:00:00 2001
From: james-haytko_nwx <james.haytko@netwrix.dev>
Date: Wed, 18 Feb 2026 14:53:55 -0600
Subject: [PATCH] Switch documentation reviewer to pull_request_target for fork
 secret access

Changes pull_request to pull_request_target so secrets (PRIVATE_AGENTS_REPO,
ANTHROPIC_API_KEY) are available when the workflow runs against PRs from
forked repos. Also locks the checkout to the PR head SHA instead of the
branch ref to prevent TOCTOU attacks.

Generated with AI

Co-Authored-By: Claude Code <ai@netwrix.com>
---
 .github/workflows/claude-documentation-reviewer.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/claude-documentation-reviewer.yml b/.github/workflows/claude-documentation-reviewer.yml
index e2b7a08253..71f34f2f70 100644
--- a/.github/workflows/claude-documentation-reviewer.yml
+++ b/.github/workflows/claude-documentation-reviewer.yml
@@ -1,7 +1,7 @@
 name: Documentation Reviewer
 
 on:
-  pull_request:
+  pull_request_target:
     types: [opened, edited, reopened, synchronize]
     paths:
       - '**.md'
@@ -23,8 +23,8 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
-          # Ensures the action checks out the PR branch instead of main
-          ref: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }}
+          # Use head SHA (not branch ref) to prevent TOCTOU attacks from forks
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
           fetch-depth: 0 # Need full history to compare with base branch
 
       - name: Get changed markdown files