fix(ci): fix reviewer assignment permissions for fork PRs

[bladehan1]

Summary

• Switch pull_request trigger to pull_request_target so the workflow has write access when triggered by fork PRs
• Add explicit permissions block (contents: read, pull-requests: write) for least-privilege access
• Remove redundant if: github.event_name == 'pull_request' condition

Why

Fork PRs running under pull_request trigger only get read-only GITHUB_TOKEN, causing the reviewer assignment step to fail silently. pull_request_target runs in the context of the base repo, granting the necessary write permissions.

Test plan

• Verify workflow syntax with actionlint
• Open a test PR from a fork to confirm reviewers are assigned automatically

🤖 Generated with Claude Code

---

Summary by cubic

Fixes reviewer auto-assignment for PRs from forks. Uses pull_request_target with minimal write access so the workflow can assign reviewers reliably.

• Bug Fixes
  • Switch trigger from pull_request to pull_request_target to run with base repo permissions.
  • Add explicit permissions: contents: read, pull-requests: write.
  • Remove redundant if: github.event_name == 'pull_request' condition.

^{Written for commit b3327eb. Summary will update on new commits.}

Summary by CodeRabbit

• Chores
  • Updated internal workflow configuration to enhance code review process reliability and permissions management.

[coderabbitai]

📝 Walkthrough

Walkthrough

The GitHub Actions PR reviewer workflow was reconfigured to use pull_request_target trigger instead of pull_request, removing the job-level conditional and adding explicit permissions (contents: read, pull-requests: write) to the assign-reviewers job.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Configuration .github/workflows/pr-reviewer.yml	Changed workflow trigger from pull_request to pull_request_target, removed job-level conditional, and added explicit job permissions for content reading and pull request writing.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A workflow takes a safer path,
From pull_request's gentle wrath,
To pull_request_target's trusted ground,
With permissions clear and safely bound,
A rabbit hops with joy today!
✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: fixing reviewer assignment permissions for fork PRs by updating the CI workflow trigger mechanism.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/ci-reviewer

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/pr-reviewer.yml (1)

4-4: Add a security guardrail comment to prevent future unsafe edits.

This workflow is currently safe (metadata-only, no checkout), but with pull_request_target + write token, future additions like checkout could introduce a security vulnerability. Add an explicit inline comment near the trigger to prevent risky edits later.

Suggested comment diff

 on:
   pull_request_target:
+    # Security: keep this workflow metadata-only; do not checkout or execute PR head code.
     branches: [ 'develop', 'release_**' ]
     types: [ opened, edited, reopened ]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pr-reviewer.yml at line 4, The workflow uses the
pull_request_target trigger (pull_request_target:) which can be dangerous if
future edits add a checkout or write token; add an explicit inline security
guardrail comment immediately above or beside the pull_request_target line
stating that this workflow must remain metadata-only and must not add
actions/steps that perform repository checkout or use a write token (e.g., NO
CHECKOUT/NO WRITE TOKEN) to prevent unsafe edits later.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/pr-reviewer.yml:
- Line 4: The workflow uses the pull_request_target trigger
(pull_request_target:) which can be dangerous if future edits add a checkout or
write token; add an explicit inline security guardrail comment immediately above
or beside the pull_request_target line stating that this workflow must remain
metadata-only and must not add actions/steps that perform repository checkout or
use a write token (e.g., NO CHECKOUT/NO WRITE TOKEN) to prevent unsafe edits
later.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 682b1739-130f-4d80-9968-a6372c1d7270

📥 Commits

Reviewing files that changed from the base of the PR and between 3ab5adf and b3327eb.

📒 Files selected for processing (1)

• .github/workflows/pr-reviewer.yml

[cubic-dev-ai]

No issues found across 1 file