From 31ebe318d7617cc7c39ddf1adc3adf7888830a4c Mon Sep 17 00:00:00 2001
From: adilburaksen <adilburaksen@gmail.com>
Date: Sun, 26 Apr 2026 15:12:47 +0300
Subject: [PATCH] fix(ci): restrict workflow_run test jobs to same-repo runs
 only

The `test` jobs in custard-run.yaml and custard-run-dev.yaml use
`workflow_run` as a trigger (fired by `Custard CI` running on PRs,
including fork PRs). These jobs have `id-token: write` and authenticate
to GCP via Workload Identity Federation as
kokoro-system-test@long-door-651.iam.gserviceaccount.com.

Without a repository guard, the `test` job runs for fork-triggered
workflow_run events. It checks out the fork's code at
`github.event.workflow_run.head_sha` and executes `make test`, allowing
attacker-controlled code to run with live GCP credentials.

Add a guard condition so the credentialed `test` job only fires when the
triggering workflow originated from the same repository (not a fork):

    github.event.workflow_run.head_repository.full_name == github.repository

Non-workflow_run triggers (push, workflow_dispatch) are unaffected.
---
 .github/workflows/custard-run-dev.yaml | 6 +++++-
 .github/workflows/custard-run.yaml     | 6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/custard-run-dev.yaml b/.github/workflows/custard-run-dev.yaml
index 596439a0f6..26c437a4a4 100644
--- a/.github/workflows/custard-run-dev.yaml
+++ b/.github/workflows/custard-run-dev.yaml
@@ -56,7 +56,11 @@ jobs:
       create-check-if: ${{ !!github.event.workflow_run }}
 
   test:
-    if: needs.affected.outputs.paths != '[]'
+    # Guard: workflow_run fires for fork PRs but executes with repository secrets
+    # (id-token: write / GCP WIF). Restrict credential use to same-repo runs.
+    if: |
+      needs.affected.outputs.paths != '[]' &&
+      (github.event_name != 'workflow_run' || github.event.workflow_run.head_repository.full_name == github.repository)
     needs: affected
     runs-on: ubuntu-latest
     timeout-minutes: 120 # 2 hours hard limit
diff --git a/.github/workflows/custard-run.yaml b/.github/workflows/custard-run.yaml
index 1ad7e86cea..53041326df 100644
--- a/.github/workflows/custard-run.yaml
+++ b/.github/workflows/custard-run.yaml
@@ -102,7 +102,11 @@ jobs:
           status: failure
 
   test:
-    if: needs.affected.outputs.paths != '[]'
+    # Guard: workflow_run fires for fork PRs but executes with repository secrets
+    # (id-token: write / GCP WIF). Restrict credential use to same-repo runs.
+    if: |
+      needs.affected.outputs.paths != '[]' &&
+      (github.event_name != 'workflow_run' || github.event.workflow_run.head_repository.full_name == github.repository)
     needs: affected
     runs-on: ubuntu-latest
     timeout-minutes: 120 # 2 hours hard limit