Revert label & env based external contributor CI workflows

.github/workflows/claude-code-review.yml

@@ -1,7 +1,7 @@
 name: Claude Code Review
 
 on:
-  pull_request_target:
+  pull_request:
     types: [opened, synchronize]
     # Optional: Only run on specific file changes
     # paths:
@@ -13,12 +13,9 @@ on:
 jobs:
   claude-review:
     # Skip review for automated "Version Packages" PRs created by changesets
-    # For external PRs: requires manual approval via 'external-pr' environment
-    # For internal PRs: runs automatically without approval
     if: github.event.pull_request.title != 'Version Packages'
 
     runs-on: ubuntu-latest
-    environment: ${{ github.event.pull_request.head.repo.full_name != github.repository && 'external-pr' || null }}
     permissions:
       contents: read
       pull-requests: read
@@ -29,7 +26,6 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
-          ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 1
 
       - name: Run Claude Code Review

.github/workflows/pkg-pr-new.yml

@@ -5,7 +5,7 @@ permissions:
   pull-requests: write # Required for pkg.pr.new to comment on PRs
 
 on:
-  pull_request_target:
+  pull_request:
     types: [opened, synchronize, reopened]
     paths:
       - '**'
@@ -14,17 +14,13 @@ on:
 
 jobs:
   publish-preview:
-    # For external PRs: requires manual approval via 'external-pr' environment
-    # For internal PRs: runs automatically without approval
     runs-on: ubuntu-latest
     timeout-minutes: 15
-    environment: ${{ github.event.pull_request.head.repo.full_name != github.repository && 'external-pr' || null }}
 
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
         with:
-          ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
 
       - name: Setup Node.js

.github/workflows/pullrequest.yml

@@ -4,8 +4,7 @@ permissions:
   contents: read
 
 on:
-  pull_request_target:
-    types: [opened, synchronize, reopened]
+  pull_request:
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -20,8 +19,6 @@ jobs:
       version: ${{ steps.get-version.outputs.version }}
     steps:
       - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
 
       - uses: actions/setup-node@v4
         with:
@@ -74,17 +71,12 @@ jobs:
         run: npm run test -w @repo/sandbox-container
 
   # E2E tests against deployed worker
-  # For external PRs: requires manual approval via 'external-pr' environment
-  # For internal PRs: runs automatically without approval
   e2e-tests:
     needs: unit-tests
     timeout-minutes: 30
     runs-on: ubuntu-latest
-    environment: ${{ github.event.pull_request.head.repo.full_name != github.repository && 'external-pr' || null }}
     steps:
       - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
 
       - uses: actions/setup-node@v4
         with:
@@ -105,7 +97,7 @@ jobs:
       - name: Set environment name
         id: env-name
         run: |
-          if [ "${{ github.event_name }}" = "pull_request_target" ]; then
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
             echo "env_name=pr-${{ github.event.pull_request.number }}" >> $GITHUB_OUTPUT
             echo "worker_name=sandbox-e2e-test-worker-pr-${{ github.event.pull_request.number }}" >> $GITHUB_OUTPUT
           else
@@ -163,7 +155,7 @@ jobs:
 
       # Cleanup: Delete test worker and container (only for PR environments)
       - name: Cleanup test deployment
-        if: always() && github.event_name == 'pull_request_target'
+        if: always() && github.event_name == 'pull_request'
         continue-on-error: true
         run: |
           cd tests/e2e/test-worker