pull_request_target considered harmful - https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target

no_pull_request_target.yml

# .github/workflows/no-pull-request-target.yml
name: pull_request_target considered dangerous

on:
  pull_request:
    paths:
      - ".github/workflows/**/*.yml"
      - ".github/workflows/**/*.yaml"
  push:
    branches:
      - main
    paths:
      - ".github/workflows/**/*.yml"
      - ".github/workflows/**/*.yaml"

permissions:
  contents: read

jobs:
  deny-pull-request-target:
    name: pull_request_target considered dangerous
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - name: Fail if any workflow uses pull_request_target
        shell: bash
        run: |
          RULE="$(cat <<'EOF'
          id: no-pull-request-target
          language: Yaml
          severity: error
          message: pull_request_target considered dangerous
          rule:
            any:
              - kind: string_scalar
                regex: '^pull_request_target$'
              - kind: double_quote_scalar
                regex: '^"pull_request_target"$'
              - kind: single_quote_scalar
                regex: "^'pull_request_target'$"
          EOF
          )"

          npx --yes --package @ast-grep/cli@0.42.2 ast-grep scan .github/workflows \
            --no-ignore hidden \
            --globs '**/*.yml' \
            --globs '**/*.yaml' \
            --format github \
            --inline-rules "$RULE"