From 62fc26f60347805a99ba168f274a5462876a5ec8 Mon Sep 17 00:00:00 2001
From: Jonathan Visser <jonathan.visser@team.blue>
Date: Wed, 6 May 2026 14:57:09 +0200
Subject: [PATCH 1/2] fix: allow fork PRs to access secrets in deploy workflow

Use pull_request_target instead of pull_request to run the workflow
in the context of the base repository, enabling secrets access for
fork PRs. Explicitly checkout PR head SHA to build the correct code.
---
 .github/workflows/deploy.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
index ec3fe3ea..6f66be0d 100644
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@@ -1,7 +1,7 @@
 name: Deploy application
 
 on:
-  pull_request:
+  pull_request_target:
   push:
     branches:
       - 'master'
@@ -17,6 +17,7 @@ jobs:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
       # Declares the repository safe and not under dubious ownership.
       - name: Add repository to git safe directories
         run: git config --global --add safe.directory $GITHUB_WORKSPACE
@@ -52,6 +53,7 @@ jobs:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
       - name: download build artifact
         uses: actions/download-artifact@v4
         with:

From 054df844dda708f6120da8444222556501537837 Mon Sep 17 00:00:00 2001
From: Jonathan Visser <jonathan.visser@team.blue>
Date: Wed, 6 May 2026 15:01:39 +0200
Subject: [PATCH 2/2] fix: allow fork PRs to post review suggestions in lint
 workflow

Use pull_request_target to enable write access for fork PRs.
Upgrade actions/checkout to v4 and actions/setup-python to v5
to address Node.js 20 deprecation warning.
---
 .github/workflows/lint.yaml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 714d0c7c..8f482fb2 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -1,7 +1,7 @@
 name: Run linting and suggest changes
 
 on:
-  pull_request:
+  pull_request_target:
 
 permissions:
   contents: read
@@ -15,8 +15,10 @@ jobs:
         python-version: ['3.12']
 
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies