<p></p>
<p dir="auto"><a href="https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/">https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/</a> might be interesting. It describes a set up, where untrusted code is processed by an <code class="notranslate">on: pull_request</code> step (which has access to the pull request). In this step we could run danger, similar to what chef/chef is doing as mentioned above. The results on this analysis run can then be checked in as artifact, and another trusted CI step can then be used to download the artifact and update the Pull request labels. This second step is leveraging <code class="notranslate">on: pull_request_target:</code>.</p>
<p dir="auto">I think the overall aproach might in fact work. At least the first step to run danger with  <code class="notranslate">on: pull_request</code> should be able to successfully analyse the untrusted code in the pull request.</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/issues/5267#issuecomment-2429030319">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AAK2OLNE5V5QGLBGECUWXS3Z4YZQ3AVCNFSM6AAAAABQCDMJ42VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMRZGAZTAMZRHE">unsubscribe</a>.<br />You are receiving this because you are subscribed to this thread.<img src="https://github.com/notifications/beacon/AAK2OLKAQI55KGD7FZRZGT3Z4YZQ3A5CNFSM6AAAAABQCDMJ42WGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTUQZAH26.gif" height="1" width="1" alt="" /><span style="color: transparent; font-size: 0; display: none; visibility: hidden; overflow: hidden; opacity: 0; width: 0; height: 0; max-width: 0; max-height: 0; mso-hide: all">Message ID: <span><openstreetmap/openstreetmap-website/issues/5267/2429030319</span><span>@</span><span>github</span><span>.</span><span>com></span></span></p>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/openstreetmap/openstreetmap-website/issues/5267#issuecomment-2429030319",
"url": "https://github.com/openstreetmap/openstreetmap-website/issues/5267#issuecomment-2429030319",
"name": "View Issue"
},
"description": "View this Issue on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>