ci: automatically publish suppressions after merged PRs

[chadlwilson]

Description of Change

Alternate implementation of #8516 which triggers off merged pull requests targetting the branch.

As noted in #8516 (comment) the on.branch or normal on.pull_request triggers won't work, as they operate in the context of the relevant branch; however https://github.com/dependency-check/DependencyCheck/tree/generatedSuppressions is a bare tree/orphaned branch which does not contain the workflow definitions - so there is nothing to trigger. You can simulate a similar warning if you try and use workflow dispatch off this branch, which it wont let you:

The alternative is to use the (somewhat risky) pull_request_target event; which operates in the context of the default branch's workflow (main), in the PR target repository. This means it always uses the workflow definition off main, which in our case is what we want - albeit with some downsides.

This event type is pretty notorious recently for repos getting script-injected and tokens stolen due to "untrusted PR code" being used when misconfigured; so we have to be careful here, similar to the "Lint PR" workflow too. To mitigate all this, this only runs on post-review PR merges (which unfortunately GHA does not have a dedicated event for), and only those targeting the generatedSuppressions branch (and file paths to be extra paranoid).

IMO risk should be OK given it always checks out code from hard-coded generatedSuppressions branch, and does not inject/interpolate any variables from the PR context. We probably need some GHA workflow static analysis tooling though, to prevent regression.

Testing off my fork: https://github.com/chadlwilson/DependencyCheck/actions/workflows/publish-suppressions.yml

• Direct pushes to the branch don't/won't trigger
  • e.g chadlwilson@f4b246c
  • so there is some fat-finger protection for maintainers there, even without branch protection enabled
• closed (unmerged) PR doesn't trigger
  • e.g https://github.com/chadlwilson/DependencyCheck/actions/runs/26163791276
• merged PR triggers and publishes
  • fix(fp): Generated suppressions improve sentry suppression chadlwilson/DependencyCheck#13
  • https://github.com/chadlwilson/DependencyCheck/actions/runs/26163820362/job/76962374868
• workflow_dispatch still triggers
  • https://github.com/chadlwilson/DependencyCheck/actions/runs/26163588509

Related issues

• fixes Improve publish-suppressions action trigger #8512

Have test cases been added to cover the new functionality?

N/A

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates GitHub Actions workflows to run in the safer pull_request_target context with clearer warning comments, and gates publishing suppressions to merged PRs.

Changes:

• Switch publish-suppressions to trigger on pull_request_target (closed) for a specific branch/path and only proceed when the PR is merged.
• Add pull_request_target safety warning comments to workflows.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
.github/workflows/publish-suppressions.yml	Adds pull_request_target trigger + merge gate for suppression publishing, plus safety notes.
.github/workflows/lint-pr.yml	Adds pull_request_target safety notes.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.