require-pull-request-target-branches
Rule catalog ID: R032
Targeted pattern scopeโ
GitHub Actions workflow YAML files triggered by pull_request_target.
What this rule reportsโ
This rule reports pull_request_target triggers that do not scope the target base branches with branches or branches-ignore.
Why this rule existsโ
pull_request_target runs in the base repository context and can access privileges that ordinary forked pull request workflows do not. Adding branch filters narrows where that privileged automation can run and reduces accidental exposure across every protected branch.
โ Incorrectโ
on:
pull_request_target:
types:
- opened
jobs:
comment:
runs-on: ubuntu-latest
steps:
- run: echo privileged automation
โ Correctโ
on:
pull_request_target:
types:
- opened
branches:
- main
- releases/**
jobs:
comment:
runs-on: ubuntu-latest
steps:
- run: echo privileged automation
Additional examplesโ
For larger repositories, this rule is often enabled together with one of the published presets so violations are caught in pull requests before workflow changes are merged.
ESLint flat config exampleโ
import githubActions from "eslint-plugin-github-actions-2";
export default [
{
files: ["**/*.{yml,yaml}"],
plugins: {
"github-actions": githubActions,
},
rules: {
"github-actions/require-pull-request-target-branches": "error",
},
},
];
When not to use itโ
You can disable this rule when its policy does not match your repository standards, or when equivalent enforcement is already handled by another policy tool.