From 31ef45e2f11543a07773fd0e802efe2409da9638 Mon Sep 17 00:00:00 2001
From: Stephanos Ioannidis <root@stephanos.io>
Date: Thu, 17 Jul 2025 09:04:57 +0900
Subject: [PATCH] ci: maintainer_check: Use zephyrbot token

This commit updates the maintainer check workflow to use the zephyrbot "PR
assigner" token with `org:read` permission because the default workflow
token is not able to retrieve organisation-level user membership
information.

Note that the workflow trigger condition is changed from `pull_request` to
`pull_request_target` because non-workflow secrets may not be accessed from
`pull_request` trigger for security reasons.

Signed-off-by: Stephanos Ioannidis <root@stephanos.io>
---
 .github/workflows/maintainer_check.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/maintainer_check.yml b/.github/workflows/maintainer_check.yml
index 69602c21b9c..dee115e8ced 100644
--- a/.github/workflows/maintainer_check.yml
+++ b/.github/workflows/maintainer_check.yml
@@ -1,7 +1,7 @@
 name: Maintainer file check
 
 on:
-  pull_request:
+  pull_request_target:
     branches:
       - main
     paths:
@@ -37,7 +37,7 @@ jobs:
 
       - name: Check maintainer file changes
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.ZB_PR_ASSIGNER_GITHUB_TOKEN }}
         run: |
           python  ./scripts/ci/check_maintainer_changes.py  \
             --repo zephyrproject-rtos/zephyr mainline_MAINTAINERS.yml MAINTAINERS.yml