From a8ea7c0ff7c158ae8ff9b72f55a1b978d0621da4 Mon Sep 17 00:00:00 2001 From: Prem Kumar Kalle Date: Fri, 10 Jul 2026 17:23:28 -0700 Subject: [PATCH] Fix(ci): allow checkout of gated PR head SHA under actions/checkout actions/checkout v7 now refuses to check out a pull_request_target ref other than the safe default, to block pwn-request attacks. Our checkouts of needs.get-sha.outputs.gitRef / inputs.gitRef are already gated by get-sha's author-association and safe-to-test label checks, so opt back in with allow-unsafe-pr-checkout: true on those two steps. Signed-off-by: Prem Kumar Kalle --- .github/workflows/tests-integration-reusable.yml | 4 ++++ .github/workflows/tests-integration.yml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/tests-integration-reusable.yml b/.github/workflows/tests-integration-reusable.yml index 88310436b1..31630fe37e 100644 --- a/.github/workflows/tests-integration-reusable.yml +++ b/.github/workflows/tests-integration-reusable.yml @@ -37,6 +37,10 @@ jobs: ref: ${{inputs.gitRef}} fetch-depth: 0 path: cli + # gitRef is only ever populated by tests-integration.yml's get-sha + # job, which is gated on OWNER/COLLABORATOR authors or the + # safe-to-test label. + allow-unsafe-pr-checkout: true - name: Checkout CF deployment tasks uses: actions/checkout@v7 diff --git a/.github/workflows/tests-integration.yml b/.github/workflows/tests-integration.yml index 7b81b88d4c..168dfb3872 100644 --- a/.github/workflows/tests-integration.yml +++ b/.github/workflows/tests-integration.yml @@ -78,6 +78,10 @@ jobs: with: ref: ${{needs.get-sha.outputs.gitRef}} fetch-depth: 0 + # get-sha only produces this ref for OWNER/COLLABORATOR authors or + # after a maintainer applies the safe-to-test label - see get-sha's + # if: condition above. + allow-unsafe-pr-checkout: true - name: Set Up Go uses: actions/setup-go@v6 with: