Is the use of pull_request_target fully justified?

[pevogam]

Hi all,

I recently had to deal with a supply chain attack of (thankfully not our own) dependency which was executed via a CI/CD pipeline on GH actions and in particular in workflows using pull_request_target and I noticed the avocado framework (which is one of our major dependencies) makes use of that as well for some workflows. How justified is it and is it really needed?

Here some backgrounds on real time example attacks and suggested remedies:

https://orca.security/resources/blog/pull-request-nightmare-part-2-exploits/

[pevogam]

Sorry is this an AI response? This post was rather meant towards @clebergnu @richtja and other maintainers regarding their opinion on the matter.