From 81090ce3f327025d16b54377b7195d1ff47845b2 Mon Sep 17 00:00:00 2001
From: Craigory Coppola <craigorycoppola@gmail.com>
Date: Wed, 27 Aug 2025 14:58:55 -0400
Subject: [PATCH 1/2] chore(repo): limit pr validation runs to prs targetting
 master

---
 .github/workflows/pr-title-validation.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/pr-title-validation.yml b/.github/workflows/pr-title-validation.yml
index e5287794d3bbb..74b9ade05aea6 100644
--- a/.github/workflows/pr-title-validation.yml
+++ b/.github/workflows/pr-title-validation.yml
@@ -3,6 +3,7 @@ name: PR Title Validation
 on:
   pull_request_target:
     types: [opened, edited, synchronize, reopened]
+    branches: [master]
 
 jobs:
   validate-pr-title:

From 6bcf1bd4e865bc035dcacf3f9df6f8babd172c63 Mon Sep 17 00:00:00 2001
From: Craigory Coppola <craigorycoppola@gmail.com>
Date: Wed, 27 Aug 2025 15:12:24 -0400
Subject: [PATCH 2/2] chore(repo): limit github token permissions in applicable
 runs

---
 .github/workflows/pr-title-validation.yml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/pr-title-validation.yml b/.github/workflows/pr-title-validation.yml
index 74b9ade05aea6..26ac968cfe7eb 100644
--- a/.github/workflows/pr-title-validation.yml
+++ b/.github/workflows/pr-title-validation.yml
@@ -1,9 +1,10 @@
 name: PR Title Validation
 
 on:
-  pull_request_target:
+  pull_request:
     types: [opened, edited, synchronize, reopened]
-    branches: [master]
+
+permissions: read-all
 
 jobs:
   validate-pr-title:
@@ -13,8 +14,8 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
         with:
-          # For pull_request_target, we need to checkout the base branch
-          ref: ${{ github.event.pull_request.base.ref }}
+          # Ensure's validate-pr-title.js is the copy from master
+          ref: master
           
       - name: Setup Node.js
         uses: actions/setup-node@v4