security: gate PRT label workflows on same-repository pull_request_ta…#27783
Open
DVHRMNTCBSL wants to merge 1 commit into
Open
security: gate PRT label workflows on same-repository pull_request_ta…#27783DVHRMNTCBSL wants to merge 1 commit into
DVHRMNTCBSL wants to merge 1 commit into
Conversation
Contributor
|
Note Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported. |
|
📊 PR Size: size/XS
|
gemini-cli
Bot
added
the
status/need-issue
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
pr-size-labeler.ymlandpr-rate-limiter.yamlrun onpull_request_targetfor external fork PRs and mutate PR labels/comments withGITHUB_TOKENwrite access.This PR adds a same-repository guard so automated PRT label/rate-limit jobs skip external fork PRs.
workflow_dispatchis preserved.Details
Before: Untrusted fork PRs trigger PRT label/rate-limit automation with pull-request write in base repo context.
After: Only same-repo
pull_request_targetpaths run; manualworkflow_dispatchunchanged.Change: Two coordinated
if:guards in:.github/workflows/pr-rate-limiter.yaml.github/workflows/pr-size-labeler.ymlNo live exploit performed against production. Static analysis / least-privilege hardening aligned with existing
eval-pr.ymlfork-guard patterns in this repo.Related
Proactive security hardening for Google OSS Patch Rewards (REPORT-015). Distinct from workflow_run/E2E chain fixes — this targets PRT label automation only.