From aa62d600bf6d8ca5a2e05f2ac4c2a4c913543019 Mon Sep 17 00:00:00 2001
From: Frank Elsinga <frank@elsinga.de>
Date: Wed, 14 Jan 2026 14:12:20 +0100
Subject: [PATCH] add a zizmor ignore

---
 .github/workflows/mark-as-draft-on-requesting-changes.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/mark-as-draft-on-requesting-changes.yml b/.github/workflows/mark-as-draft-on-requesting-changes.yml
index fd24e135d..0d6bdc3d3 100644
--- a/.github/workflows/mark-as-draft-on-requesting-changes.yml
+++ b/.github/workflows/mark-as-draft-on-requesting-changes.yml
@@ -1,6 +1,11 @@
 name: Mark PR as draft when changes are requested
 
-on:
+# pull_request_target is safe here because:
+# 1. Only uses a pinned trusted action (by SHA)
+# 2. Has minimal permissions
+# 3. Doesn't checkout or execute any untrusted code from PRs
+# 4. Only adds/removes labels or changes the draft status
+on: # zizmor: ignore[dangerous-triggers]
   pull_request_target:
     types:
       - review_submitted