From 02ea2dcdbffe8c682821325364826651359c6ae9 Mon Sep 17 00:00:00 2001
From: Michael Kubacki <michael.kubacki@microsoft.com>
Date: Wed, 6 May 2026 18:35:06 -0400
Subject: [PATCH] .sync: Use pull_request_target for Rust version check
 workflow

This workflow needs to use secrets for PRs from public forks, which
is not available with the pull_request trigger currently used.

pull_request_target is used instead since it allows access to secrets
and the workflow is limited to simple toml parsing and validation not
executing any code from the PR.

Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
---
 .sync/workflows/leaf/rust-version-check.yml | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/.sync/workflows/leaf/rust-version-check.yml b/.sync/workflows/leaf/rust-version-check.yml
index 419565a..3fc5aa3 100644
--- a/.sync/workflows/leaf/rust-version-check.yml
+++ b/.sync/workflows/leaf/rust-version-check.yml
@@ -18,7 +18,7 @@
 name: Rust Version Change Detection
 
 on:
-  pull_request:
+  pull_request_target:
     branches: [main]
     types: [opened, synchronize]
     paths:
@@ -26,9 +26,5 @@ on:
 
 jobs:
   check-rust-version:
-      permissions:
-        pull-requests: write
-        contents: read
-
       uses: OpenDevicePartnership/patina-devops/.github/workflows/RustVersionCheck.yml@{% endraw %}{{ sync_version.patina_devops }}
       secrets: inherit