Skip to content

Prevent workflow_run triggers from executing in forked repositories#4070

Merged
pelikhan merged 4 commits intomainfrom
copilot/update-workflow-run-trigger
Nov 15, 2025
Merged

Prevent workflow_run triggers from executing in forked repositories#4070
pelikhan merged 4 commits intomainfrom
copilot/update-workflow-run-trigger

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Nov 15, 2025
edited
Loading

workflow_run triggers checked repository ID match but allowed execution in forks since IDs matched within the fork context. This created a security gap where malicious actors could modify workflows in forks and trigger them via workflow_run events.

Changes

  • pkg/workflow/role_checks.go: Added !github.event.workflow_run.repository.fork check combined with existing repository ID validation using AND logic
  • pkg/workflow/workflow_run_repo_safety_test.go: Added fork detection verification and TestWorkflowRunForkCheckPresent test
  • docs/: Updated security documentation to reflect fork prevention

Generated Condition

Before:

if: ((github.event_name != 'workflow_run') || 
     (github.event.workflow_run.repository.id == github.repository_id))

After:

if: ((github.event_name != 'workflow_run') || 
     ((github.event.workflow_run.repository.id == github.repository_id) &&
      (!(github.event.workflow_run.repository.fork))))

The condition now requires both repository ID match (cross-repo protection) and non-fork status (fork protection) for workflow_run events, while allowing all other event types through unchanged.

Original prompt

The compiler should update the generate code for workflow_run trigger to prevent execution when triggered by forked repositories.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 2 commits November 15, 2025 18:15
@pelikhan
Add fork detection to workflow_run trigger safety checks
a34f6e9 
- Update buildWorkflowRunRepoSafetyCondition to check repository.fork field
- Generated condition now prevents execution from forked repositories
- Add test verification for fork check presence
- Update documentation to reflect fork prevention
- All existing tests pass with new security enhancement

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Add comprehensive test for workflow_run fork check
66d49a7 
- New TestWorkflowRunForkCheckPresent test verifies fork check presence
- Validates NOT operator is applied to repository.fork field
- Ensures AND operator combines repository ID and fork checks
- All workflow_run tests pass successfully

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Update generated code for workflow_run trigger Prevent workflow_run triggers from executing in forked repositories Nov 15, 2025
Copilot AI requested a review from pelikhan November 15, 2025 18:24
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Nov 15, 2025

Agentic Changeset Generator triggered by this pull request.

@pelikhan pelikhan marked this pull request as ready for review November 15, 2025 18:34
Copilot AI review requested due to automatic review settings November 15, 2025 18:34
Copilot AI reviewed Nov 15, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances the security of workflow_run triggers by adding fork detection to prevent malicious actors from modifying workflows in forks and triggering them via workflow_run events. The existing repository ID check prevented cross-repository attacks but didn't prevent execution when both the triggering and receiving workflows were in the same fork.

Key Changes:

  • Added !github.event.workflow_run.repository.fork check combined with existing repository ID validation using AND logic
  • Updated generated conditions to require both repository ID match and non-fork status
  • Enhanced test coverage with fork detection verification

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.

Show a summary per file
File Description
pkg/workflow/role_checks.go Implements fork detection by adding NotNode check on repository.fork property, combining it with existing repository ID check using AND logic
pkg/workflow/workflow_run_repo_safety_test.go Adds comprehensive test assertions verifying fork check presence, NOT operator usage, and proper combination with repository ID check via AND operator
docs/src/content/docs/reference/triggers.md Updates trigger documentation to mention fork validation alongside repository validation
docs/src/content/docs/guides/security.md Updates security guide with detailed explanation of fork prevention, including code examples and security benefits
.github/workflows/dev-hawk.lock.yml Regenerated lock file with new fork check in activation job condition
.github/workflows/ci-doctor.lock.yml Regenerated lock file with new fork check in activation job condition

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@pelikhan pelikhan merged commit c0ed719 into main Nov 15, 2025
4 checks passed
@pelikhan pelikhan deleted the copilot/update-workflow-run-trigger branch November 15, 2025 18:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

changeset

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pelikhan