From 26f39746514541a8dbebd273495ab50fbf4912e3 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 18 Dec 2025 14:15:44 +0000
Subject: [PATCH 1/4] Initial plan


From 160181631b6e9a0f1e56677e40340b4e6b68506a Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 18 Dec 2025 14:18:29 +0000
Subject: [PATCH 2/4] Remove pull_request trigger from release workflow to fix
 security issue

Co-authored-by: gcatanese <1771700+gcatanese@users.noreply.github.com>
---
 .github/workflows/release.yml | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 53d9238e..778026e1 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,16 +13,9 @@ on:
         type: boolean
         default: false
         description: "Publish Github release for the current version"
-  # Monitor pull request events
-  pull_request:
-    types:
-      - closed
-    branches:
-      - main
 
 jobs:
   release:
-    if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
     permissions:
       contents: write
       pull-requests: write

From 21215c42ab2a554eb5b1853eba680d2e1ff417ad Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 18 Dec 2025 15:30:26 +0000
Subject: [PATCH 3/4] Update release workflow to only run on merged PRs and
 remove pull-requests write permission

Co-authored-by: gcatanese <1771700+gcatanese@users.noreply.github.com>
---
 .github/workflows/release.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 778026e1..12a02881 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,12 +13,18 @@ on:
         type: boolean
         default: false
         description: "Publish Github release for the current version"
+  # Monitor pull request events
+  pull_request:
+    types:
+      - closed
+    branches:
+      - main
 
 jobs:
   release:
+    if: ${{ github.event_name != 'pull_request' || (github.event.pull_request.merged == true && github.event.pull_request.head.repo.full_name == github.repository) }}
     permissions:
       contents: write
-      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5

From 50399ef198e35f74d9ba084ab406e28a5d485ab6 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 18 Dec 2025 15:31:41 +0000
Subject: [PATCH 4/4] Add explanatory comment for conditional logic

Co-authored-by: gcatanese <1771700+gcatanese@users.noreply.github.com>
---
 .github/workflows/release.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 12a02881..826c0839 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -22,6 +22,7 @@ on:
 
 jobs:
   release:
+    # Run on manual dispatch OR when PR is merged from same repository
     if: ${{ github.event_name != 'pull_request' || (github.event.pull_request.merged == true && github.event.pull_request.head.repo.full_name == github.repository) }}
     permissions:
       contents: write