Commit 31ebe31
committed
fix(ci): restrict workflow_run test jobs to same-repo runs only
The `test` jobs in custard-run.yaml and custard-run-dev.yaml use
`workflow_run` as a trigger (fired by `Custard CI` running on PRs,
including fork PRs). These jobs have `id-token: write` and authenticate
to GCP via Workload Identity Federation as
kokoro-system-test@long-door-651.iam.gserviceaccount.com.
Without a repository guard, the `test` job runs for fork-triggered
workflow_run events. It checks out the fork's code at
`github.event.workflow_run.head_sha` and executes `make test`, allowing
attacker-controlled code to run with live GCP credentials.
Add a guard condition so the credentialed `test` job only fires when the
triggering workflow originated from the same repository (not a fork):
github.event.workflow_run.head_repository.full_name == github.repository
Non-workflow_run triggers (push, workflow_dispatch) are unaffected.1 parent 0f66e3e commit 31ebe31
2 files changed
Lines changed: 10 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
56 | 56 | | |
57 | 57 | | |
58 | 58 | | |
59 | | - | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
60 | 64 | | |
61 | 65 | | |
62 | 66 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
102 | 102 | | |
103 | 103 | | |
104 | 104 | | |
105 | | - | |
| 105 | + | |
| 106 | + | |
| 107 | + | |
| 108 | + | |
| 109 | + | |
106 | 110 | | |
107 | 111 | | |
108 | 112 | | |
| |||
0 commit comments