Resolve `latest-changes.yml`

author Yurii Motov <yurii.motov.monte@gmail.com>

Fri, 17 Apr 2026 14:08:44 +0000 (16:08 +0200)

committer Yurii Motov <yurii.motov.monte@gmail.com>

Fri, 17 Apr 2026 14:08:44 +0000 (16:08 +0200)
author Yurii Motov <yurii.motov.monte@gmail.com>
Fri, 17 Apr 2026 14:08:44 +0000 (16:08 +0200)
committer Yurii Motov <yurii.motov.monte@gmail.com>
Fri, 17 Apr 2026 14:08:44 +0000 (16:08 +0200)
diff --git a/.github/workflows/latest-changes.yml b/.github/workflows/latest-changes.yml

index 1325a6813f21872ea97c53ade5121ec10d23ab63..fd730846507afc1a36dde6211016a8b4dafd3976 100644 (file)
--- a/.github/workflows/latest-changes.yml
+++ b/.github/workflows/latest-changes.yml
@@ -1,7 +1,7 @@
  name: Latest Changes
  
  on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers]
      branches:
        - main
      types:
@@ -16,14 +16,18 @@ on:
          required: false
          default: 'false'
  
+permissions: {}
+
  jobs:
    latest-changes:
      runs-on: ubuntu-latest
+    if: github.event_name == 'workflow_dispatch' || github.event.pull_request.merged == true
      steps:
        - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
          with:
            # To allow latest-changes to commit to the main branch
-          token: ${{ secrets.SQLMODEL_LATEST_CHANGES }}
+          token: ${{ secrets.SQLMODEL_LATEST_CHANGES }} # zizmor: ignore[secrets-outside-env]
+          persist-credentials: true # required by tiangolo/latest-changes
        # Allow debugging with tmate
        - name: Setup tmate session
          uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3.23
author	Yurii Motov <yurii.motov.monte@gmail.com>
	Fri, 17 Apr 2026 14:08:44 +0000 (16:08 +0200)
committer	Yurii Motov <yurii.motov.monte@gmail.com>
	Fri, 17 Apr 2026 14:08:44 +0000 (16:08 +0200)