From 1cd32dd6de5d69375e36f1a85999d24b23f5075e Mon Sep 17 00:00:00 2001
From: exoego <ytatsuno.jp@gmail.com>
Date: Sun, 2 Jun 2024 10:41:20 +0900
Subject: [PATCH 1/3] Document pull_request_target

---
 .github/workflows/ci.yml |  4 ++--
 README.md                | 27 ++++++++++++++++++++++++++-
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2032bed..66bc1f2 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -20,8 +20,8 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     if: |
-      (github.event.pull_request.head.repo.fork == true && github.event_name == 'pull_request_target') ||
-      (github.event.pull_request.head.repo.fork != true && github.event_name != 'pull_request_target')
+      ( github.event.pull_request.head.repo.fork && github.event_name == 'pull_request_target') ||
+      (!github.event.pull_request.head.repo.fork && github.event_name != 'pull_request_target')
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
diff --git a/README.md b/README.md
index f78ec5f..0c673ac 100644
--- a/README.md
+++ b/README.md
@@ -11,15 +11,33 @@ Analyzes each PR's impact on esbuild bundle size
 ### GitHub Action setup
 
 ```yaml
+name: esbuild-bundle-analyzer
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  ## Uncomment the following `pull_request_target` if your repository may receive PRs from forks.
+  ## Because `Pull_request_target` event should be used on PRs from forks due to GITHUB_TOKEN permission limitations.
+  #pull_request_target:
+  #  branches: [main]
+  #  types: [opened, edited, synchronize, reopened]
+
 permissions:
   contents: read # for checkout repository
   actions: read # for fetching base branch bundle stats
   pull-requests: write # for comments
 
 jobs:
-  build:
+  analyze:
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    ## Uncomment the following `if` if your repository may receive PRs from forks.
+    ## Because `Pull_request_target` event should be used on PRs from forks due to GITHUB_TOKEN permission limitations.
+    #if: |
+    #  ( github.event.pull_request.head.repo.fork && github.event_name == 'pull_request_target') ||
+    #  (!github.event.pull_request.head.repo.fork && github.event_name != 'pull_request_target')
     steps:
     # Ensure you build your project before running this action
     # For example,
@@ -41,6 +59,13 @@ jobs:
         metafiles: "out/meta.json"
 ```
 
+### 
+
+If your repository is public, you need to use `pull_request_target` event to run this action on PRs from forks.
+
+
+
+
 ### esbuild setup
 
 You need to [write ***meta file*** yourself after build](https://esbuild.github.io/api/#metafile).

From 72a37b208ba255bf75f47a309cb814a187cdeff6 Mon Sep 17 00:00:00 2001
From: exoego <ytatsuno.jp@gmail.com>
Date: Sun, 2 Jun 2024 10:50:55 +0900
Subject: [PATCH 2/3] "edited" is for PR description, not needed

---
 .github/workflows/ci.yml | 1 -
 README.md                | 1 -
 2 files changed, 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 66bc1f2..b1810fa 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,7 +8,6 @@ on:
     branches: [main]
   pull_request_target:
     branches: [main]
-    types: [opened, edited, synchronize, reopened]
 
 permissions:
   contents: read # for checkout repository
diff --git a/README.md b/README.md
index 0c673ac..508a6f2 100644
--- a/README.md
+++ b/README.md
@@ -22,7 +22,6 @@ on:
   ## Because `Pull_request_target` event should be used on PRs from forks due to GITHUB_TOKEN permission limitations.
   #pull_request_target:
   #  branches: [main]
-  #  types: [opened, edited, synchronize, reopened]
 
 permissions:
   contents: read # for checkout repository

From 2d3a06a6db02760b80723882303a24887785baca Mon Sep 17 00:00:00 2001
From: exoego <ytatsuno.jp@gmail.com>
Date: Sun, 2 Jun 2024 10:55:43 +0900
Subject: [PATCH 3/3] Added note

---
 README.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/README.md b/README.md
index 508a6f2..d37da17 100644
--- a/README.md
+++ b/README.md
@@ -112,6 +112,11 @@ permissions:
   pull-requests: write # for comments
 ```
 
+This action uses the `GITHUB_TOKEN` provided by GitHub Actions.
+Due to security limitation, `GITHUB_TOKEN` is not granted to write comments on PRs from forks on `pull_request` event.
+Instead, [`pull_request_target` event should be used on PRs from forks to overcome this limitation](https://docs.github.com/en/actions/security-guides/automatic-token-authentication).
+Please check the above setup example to use this action with `pull_request_target`.
+
 ## Action inputs
 
 | Name                      | Default                               | Description                                                                                                      |