From f5d318d93431e9e458b8375fb58113980f8ecf58 Mon Sep 17 00:00:00 2001
From: Weston Steimel <author@code.w.steimel.me.uk>
Date: Mon, 23 Mar 2026 16:45:18 +0000
Subject: [PATCH] ci: add explicit ref to main and warning for
 pull_request_target workflow (#4693)

Signed-off-by: Weston Steimel <author@code.w.steimel.me.uk>
---
 .github/workflows/detect-schema-changes.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/detect-schema-changes.yaml b/.github/workflows/detect-schema-changes.yaml
index 2d61478af..a58ded049 100644
--- a/.github/workflows/detect-schema-changes.yaml
+++ b/.github/workflows/detect-schema-changes.yaml
@@ -37,6 +37,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
         with:
           persist-credentials: false
+          ref: main # IMPORTANT!  It is CRITICAL that this only ever considers the code from main and NEVER EVER from a fork.
 
       - run: python .github/scripts/labeler.py
         env: