🩹[Patch]: Fix dangerous-triggers linter error in Auto-Release workflow

[MariusStorhaug]

Summary

The GITHUB_ACTIONS_ZIZMOR linter is failing with a dangerous-triggers error in the Auto-Release workflow. The workflow uses pull_request_target trigger which is flagged as fundamentally insecure.

Error Details

error[dangerous-triggers]:  use of fundamentally insecure workflow trigger
--> /github/workspace/. github/workflows/Auto-Release.yml:5:1
|
5 | / on:
6 | | pull_request_target:
7 | | branches: 
8 | | - main
...   |
13 | | - synchronize
14 | | - labeled
| |_______________^ pull_request_target is almost always used insecurely
|
= note:   audit confidence → Medium
= help:  audit documentation → https://docs.zizmor.sh/audits/#dangerous-triggers

Affected File

• .github/workflows/Auto-Release. yml (lines 5-14)

Tasks

• Review the zizmor documentation on dangerous triggers
• Evaluate if pull_request_target is necessary or if pull_request can be used instead
• If pull_request_target is required, implement security mitigations:
  • Ensure no untrusted code is executed
  • Pin the checkout to a safe ref (e.g., base branch)
  • Limit permissions appropriately
• Update the workflow configuration
• Verify the linter passes after changes

Acceptance Criteria

• GITHUB_ACTIONS_ZIZMOR linter passes without errors
• Workflow remains functional
• Security best practices are maintained

Reference

• Workflow file: .github/workflows/Auto-Release.yml
• Audit documentation: https://docs.zizmor.sh/audits/#dangerous-triggers