From 9c8b5c076ad8e262f6acae22f7eb72f6853fc137 Mon Sep 17 00:00:00 2001
From: schapper <schapper@amazon.com>
Date: Fri, 30 Jan 2026 11:49:07 -0800
Subject: [PATCH] Fix workflow trigger for Python package version check

`pull_request_target` runs against the base and doesn't work with paths,
so it's wrong. It is more targeted toward protecting workflows from
rogue PRs from forks.

This isn't an issue for this workflow because it doesn't use any
secrets, apart from ephemeral ones generated through OIDC flows, and
in any event it's protected from fork runs by the `if` check in
`check-python-package-versions.yaml` on line 11.
---
 .github/workflows/check-python-package-versions.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/check-python-package-versions.yaml b/.github/workflows/check-python-package-versions.yaml
index 4b0fdf41..1fa230ce 100644
--- a/.github/workflows/check-python-package-versions.yaml
+++ b/.github/workflows/check-python-package-versions.yaml
@@ -1,7 +1,7 @@
 name: Check Python package version numbers
 
 on:
-  pull_request_target:
+  pull_request:
     paths:
       - '**/pyproject.toml'
       - 'packages/**/__about__.py'