From 2d98bddb411c706cd271539a05622365dcfdb341 Mon Sep 17 00:00:00 2001
From: Jie Chen <jiechen3@microsoft.com>
Date: Mon, 10 Feb 2025 21:59:30 -0800
Subject: [PATCH] Switch to pull_request_target and set permissions explicitly

---
 .github/workflows/ci.yml | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c70a4ff40a..f4307e155e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,7 +1,7 @@
 name: CI
 on:
   - push
-  - pull_request
+  - pull_request_target
 
 env:
   GO_BUILD_CMD: 'go build "-ldflags=-s -w" -trimpath'
@@ -19,7 +19,6 @@ env:
   LINUX_BOOT_FILES_PATH: ${{ github.workspace }}/LinuxBootFiles
 
 permissions:
-  id-token: write   # This is required for OIDC login (azure/login) to succeed
   contents: read    # This is required for actions/checkout to succeed
 
 jobs:
@@ -250,16 +249,15 @@ jobs:
       - self-hosted
       - 1ES.Pool=containerplat-github-runner-pool-east-us-2
       - 1ES.ImageOverride=github-mms-ubuntu-22
+    permissions:
+      id-token: write   # This is required for OIDC login (azure/login) to succeed
+      contents: read    # This is required for actions/checkout to succeed
     steps:
     - name: Checkout hcsshim
       uses: actions/checkout@v4
       with:
         show-progress: false
 
-    - name: Print ACTIONS_ID_TOKEN_REQUEST_URL
-      run: |
-        echo "ACTIONS_ID_TOKEN_REQUEST_URL=${{ secrets.ACTIONS_ID_TOKEN_REQUEST_URL }}"
-
     # Install Azure CLI and login to Azure
     - name: Azure OIDC Login
       uses: azure/login@v2