From 7d36f98370f3d6c194448e0065e3fcca848024cb Mon Sep 17 00:00:00 2001
From: borislavr <noreply@github.com>
Date: Mon, 13 Oct 2025 09:16:11 +0000
Subject: [PATCH 1/3] fix(ci): update PR auto-assignment workflow to use
 pull_request event and improve fork handling Related issue:
 pull_request_target vulnerability 
 (https://nx.dev/blog/s1ngularity-postmortem)

---
 .github/workflows/pr-assigner.yml | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/pr-assigner.yml b/.github/workflows/pr-assigner.yml
index 6509b46..75601f9 100644
--- a/.github/workflows/pr-assigner.yml
+++ b/.github/workflows/pr-assigner.yml
@@ -1,10 +1,10 @@
 name: PR Auto-Assignment
 run-name: "Assigning reviewers for PR #${{ github.event.pull_request.number }}"
 on:
-  pull_request_target:
+  pull_request:
     types: [opened, reopened, synchronize]
     branches:
-    - main
+      - main
 
 permissions:
   pull-requests: write
@@ -13,11 +13,19 @@ permissions:
 jobs:
   pr-auto-assign:
     runs-on: ubuntu-latest
+
     steps:
-    - uses: actions/checkout@v4
+      - name: Check if PR is from a fork
+        run: |
+          if [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.event.pull_request.base.repo.full_name }}" ]; then
+            echo "⚠️ Pull request is from a fork — skipping assignee assignment (no write permissions)."
+            exit 0
+          fi
+
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
-    - uses: netcracker/qubership-workflow-hub/actions/pr-assigner@main
-      with:
-        assignees-count: 2
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file
+      - uses: netcracker/qubership-workflow-hub/actions/pr-assigner@0f2be042d7c833c6bf60df85732609b7991fb821 #2.0.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }}

From 78480067899af088c2512a231ba016ac209910d3 Mon Sep 17 00:00:00 2001
From: borislavr <noreply@github.com>
Date: Mon, 13 Oct 2025 10:18:08 +0000
Subject: [PATCH 2/3] fix(ci): update PR auto-assignment workflow to use
 pull_request event and improve fork handling Related issue:
 pull_request_target vulnerability 
 (https://nx.dev/blog/s1ngularity-postmortem)

---
 .github/workflows/pr-assigner.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pr-assigner.yml b/.github/workflows/pr-assigner.yml
index 75601f9..2373943 100644
--- a/.github/workflows/pr-assigner.yml
+++ b/.github/workflows/pr-assigner.yml
@@ -28,4 +28,4 @@ jobs:
 
       - uses: netcracker/qubership-workflow-hub/actions/pr-assigner@0f2be042d7c833c6bf60df85732609b7991fb821 #2.0.0
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

From 37f7ccfea1f9c5dc0ce4b30c6b958d4ae45d8421 Mon Sep 17 00:00:00 2001
From: borislavr <noreply@github.com>
Date: Tue, 14 Oct 2025 07:33:29 +0000
Subject: [PATCH 3/3] fix(ci): update PR auto-assignment workflow to use
 pull_request event and improve fork handling Related issue:
 pull_request_target vulnerability 
 (https://nx.dev/blog/s1ngularity-postmortem)

---
 .github/workflows/pr-assigner.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/pr-assigner.yml b/.github/workflows/pr-assigner.yml
index 2373943..66965ff 100644
--- a/.github/workflows/pr-assigner.yml
+++ b/.github/workflows/pr-assigner.yml
@@ -1,7 +1,7 @@
 name: PR Auto-Assignment
 run-name: "Assigning reviewers for PR #${{ github.event.pull_request.number }}"
 on:
-  pull_request:
+  pull_request_target:
     types: [opened, reopened, synchronize]
     branches:
       - main
@@ -26,6 +26,6 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: netcracker/qubership-workflow-hub/actions/pr-assigner@0f2be042d7c833c6bf60df85732609b7991fb821 #2.0.0
+      - uses: netcracker/qubership-workflow-hub/actions/pr-assigner@b575bad3a0959c4e883bc34f9d055ff07fde2dbd #2.0.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}