From: Yurii Motov <yurii.motov.monte@gmail.com>
Date: Fri, 17 Apr 2026 14:08:44 +0000 (+0200)
Subject: Resolve `latest-changes.yml`
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=a77420258e3fa4c6cd08a240ae9c1c9e26e643e5;p=thirdparty%2Ffastapi%2Fsqlmodel.git

Resolve `latest-changes.yml`
---

diff --git a/.github/workflows/latest-changes.yml b/.github/workflows/latest-changes.yml
index 1325a6813..fd7308465 100644
--- a/.github/workflows/latest-changes.yml
+++ b/.github/workflows/latest-changes.yml
@@ -1,7 +1,7 @@
 name: Latest Changes
 
 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers]
     branches:
       - main
     types:
@@ -16,14 +16,18 @@ on:
         required: false
         default: 'false'
 
+permissions: {}
+
 jobs:
   latest-changes:
     runs-on: ubuntu-latest
+    if: github.event_name == 'workflow_dispatch' || github.event.pull_request.merged == true
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           # To allow latest-changes to commit to the main branch
-          token: ${{ secrets.SQLMODEL_LATEST_CHANGES }}
+          token: ${{ secrets.SQLMODEL_LATEST_CHANGES }} # zizmor: ignore[secrets-outside-env]
+          persist-credentials: true # required by tiangolo/latest-changes
       # Allow debugging with tmate
       - name: Setup tmate session
         uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3.23