From 983c6b56aa47c98a6b18d98153d1b81d98e2fe17 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 22 Jan 2026 15:46:12 +0000
Subject: [PATCH 1/3] Initial plan


From a652ae0eb2eadfe11259b9c4b731aecb57a39c28 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 22 Jan 2026 15:50:40 +0000
Subject: [PATCH 2/3] Fix dangerous-triggers linter error in Auto-Release
 workflow

- Add explicit checkout ref to base branch to prevent untrusted PR code execution
- Add zizmor ignore annotation with justification for pull_request_target usage
- Security mitigation: Only base branch code is checked out, never PR code
- Zizmor linter now passes without errors

Co-authored-by: MariusStorhaug <17722253+MariusStorhaug@users.noreply.github.com>
---
 .github/workflows/Auto-Release.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/Auto-Release.yml b/.github/workflows/Auto-Release.yml
index c1ab261..f2a5b18 100644
--- a/.github/workflows/Auto-Release.yml
+++ b/.github/workflows/Auto-Release.yml
@@ -3,7 +3,7 @@ name: Auto-Release
 run-name: "Auto-Release - [${{ github.event.pull_request.title }} #${{ github.event.pull_request.number }}] by @${{ github.actor }}"
 
 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers] Required for write permissions to create releases and comment on PRs. Mitigated by checking out base branch only.
     branches:
       - main
     types:
@@ -28,6 +28,7 @@ jobs:
       - name: Checkout Code
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
+          ref: ${{ github.event.pull_request.base.ref }} # Checkout base branch, not PR code
           persist-credentials: false
 
       - name: Auto-Release

From 968475d3fef69dd6a2922ad802a237eefa7e3611 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 22 Jan 2026 16:16:18 +0000
Subject: [PATCH 3/3] Change from pull_request_target to pull_request trigger

- Remove pull_request_target trigger and use pull_request instead
- Remove explicit base branch checkout (not needed with pull_request)
- Remove zizmor ignore annotation (no longer needed)
- Zizmor linter passes without errors

Co-authored-by: MariusStorhaug <17722253+MariusStorhaug@users.noreply.github.com>
---
 .github/workflows/Auto-Release.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/Auto-Release.yml b/.github/workflows/Auto-Release.yml
index f2a5b18..b51f4b7 100644
--- a/.github/workflows/Auto-Release.yml
+++ b/.github/workflows/Auto-Release.yml
@@ -3,7 +3,7 @@ name: Auto-Release
 run-name: "Auto-Release - [${{ github.event.pull_request.title }} #${{ github.event.pull_request.number }}] by @${{ github.actor }}"
 
 on:
-  pull_request_target: # zizmor: ignore[dangerous-triggers] Required for write permissions to create releases and comment on PRs. Mitigated by checking out base branch only.
+  pull_request:
     branches:
       - main
     types:
@@ -28,7 +28,6 @@ jobs:
       - name: Checkout Code
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
-          ref: ${{ github.event.pull_request.base.ref }} # Checkout base branch, not PR code
           persist-credentials: false
 
       - name: Auto-Release