chore: switch github workflow to pull request trigger

[fabianburth]

What this PR does / why we need it

Harden our github workflows.

Which issue(s) this PR fixes

Testing

How to test the changes

Verification

• I have tested the changes locally by running ocm

[coderabbitai]

Warning

Rate limit exceeded

@fabianburth has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 0 minutes and 15 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 0 minutes and 15 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 338f16b1-2d15-46b1-b7dd-6308672cc860

📥 Commits

Reviewing files that changed from the base of the PR and between c120b0a and d69ec6b.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

📝 Walkthrough

Walkthrough

Switched CI workflow trigger from pull_request_target to pull_request, removed workflow-level env.REF/env.REPO and explicit with.repository/with.ref from checkout steps, and replaced GitHub App token generation with secrets.GITHUB_TOKEN and ${{ github.actor }} for integration tests.

Changes

Cohort / File(s)	Summary
CI Workflow \.github/workflows/ci.yml	Changed workflow trigger to pull_request; removed env.REF/env.REPO and deleted explicit with.repository/with.ref from all actions/checkout uses; removed GitHub App token creation step; switched integration tests to GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} and GITHUB_USER: ${{ github.actor }}.
Go integration module (formatting) bindings/go/oci/integration/go.mod	Whitespace/formatting: added blank line(s) after module/go metadata and after the first require block; no dependency/version changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• chore: streamline release workflows and CLI build versioning #2131 — also updates GitHub Actions checkout/ref handling and removes explicit ref/repo inputs in favor of workflow defaults.

Suggested reviewers

• Skarlso
• jakobmoellerdev

Poem

🐰 I nibbled at YAML late tonight,
Swapped tokens for the runner's light,
Pulls now follow a simpler way,
Checkouts default and skip the fray,
CI hops on—everything's alright ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: switching the GitHub workflow trigger from pull_request_target to pull_request.
Description check	✅ Passed	The description states 'Harden our github workflows' which relates to the workflow security improvements in the changeset, though lacks detail about specific changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/ci.yml (1)

15-18: ⚠️ Potential issue | 🟠 Major

Add packages: read permission to the run_integration_tests job.

The run_integration_tests job passes GH_TOKEN to tests that build GHCR credential configurations (cli/integration/download_plugin_integration_test.go:215-227), but the workflow-level permissions block (ci.yml:15-18) only grants contents: read and checks: read. When permissions is explicitly declared, unspecified scopes become none, so this token lacks the packages: read permission required for authenticated GHCR access. Public GHCR packages can still be pulled anonymously, which means the job may pass without actually validating authenticated credential usage. Either add packages: read to enable proper credential testing or remove the credential injection if anonymous pulls are the intended path.

Suggested fix

  run_integration_tests:
    name: "Integration Tests"
    needs: discover_modules
    runs-on: ubuntu-latest
+   permissions:
+     contents: read
+     checks: read
+     packages: read
    if: ${{ fromJSON(needs.discover_modules.outputs.integration_test_modules_json)[0] != null }} # skip if no modules are found

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 15 - 18, The workflow-level
permissions block currently only grants contents: read and checks: read, causing
GH_TOKEN to lack packages: read for the run_integration_tests job; update the
.github/workflows/ci.yml permissions block (or the run_integration_tests job) to
include packages: read so the GH_TOKEN can authenticate GHCR pulls used by the
integration test (referencing the run_integration_tests job and the tests in
cli/integration/download_plugin_integration_test.go), or alternatively remove
the GH_TOKEN/credential injection from that job if anonymous pulls are intended.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/ci.yml:
- Around line 15-18: The workflow-level permissions block currently only grants
contents: read and checks: read, causing GH_TOKEN to lack packages: read for the
run_integration_tests job; update the .github/workflows/ci.yml permissions block
(or the run_integration_tests job) to include packages: read so the GH_TOKEN can
authenticate GHCR pulls used by the integration test (referencing the
run_integration_tests job and the tests in
cli/integration/download_plugin_integration_test.go), or alternatively remove
the GH_TOKEN/credential injection from that job if anonymous pulls are intended.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 13b3bc9b-a39a-4ea4-8b80-358f3ea54013

📥 Commits

Reviewing files that changed from the base of the PR and between babb3de and db6353f.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

[coderabbitai]

Caution

Review failed

An error occurred during the review process. Please try again later.

📝 Walkthrough

Walkthrough

Switched CI workflow trigger from pull_request_target to pull_request, removed workflow-level env.REF/env.REPO and explicit with.repository/with.ref from checkout steps, and replaced GitHub App token generation with secrets.GITHUB_TOKEN and ${{ github.actor }} for integration tests.

Changes

Cohort / File(s)	Summary
CI Workflow \.github/workflows/ci.yml	Changed workflow trigger to pull_request; removed env.REF/env.REPO and deleted explicit with.repository/with.ref from all actions/checkout uses; removed GitHub App token creation step; switched integration tests to GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} and GITHUB_USER: ${{ github.actor }}.
Go integration module (formatting) bindings/go/oci/integration/go.mod	Whitespace/formatting: added blank line(s) after module/go metadata and after the first require block; no dependency/version changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• chore: streamline release workflows and CLI build versioning #2131 — also updates GitHub Actions checkout/ref handling and removes explicit ref/repo inputs in favor of workflow defaults.

Suggested reviewers

• Skarlso
• jakobmoellerdev

Poem

🐰 I nibbled at YAML late tonight,
Swapped tokens for the runner's light,
Pulls now follow a simpler way,
Checkouts default and skip the fray,
CI hops on—everything's alright ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: switching the GitHub workflow trigger from pull_request_target to pull_request.
Description check	✅ Passed	The description states 'Harden our github workflows' which relates to the workflow security improvements in the changeset, though lacks detail about specific changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}