[bfops/wasm-test]: Merge remote-tracking branch 'wasm-fork/rust-web-sdk-updated' into bfops/wasm-test

Author: bfops

.github/workflows/pr_approval_check.yml

@@ -1,7 +1,17 @@
 name: Review Checks
 
+# SECURITY: This workflow uses pull_request_target so that it has write access to
+# set commit statuses on external (fork) PRs. pull_request_target runs in the
+# context of the base branch, which grants the GITHUB_TOKEN write permissions
+# that a regular pull_request event on a fork would not have.
+#
+# IMPORTANT: This workflow must NEVER check out, build, or execute code from the
+# PR branch. Doing so would allow a malicious fork to run arbitrary code with
+# write access to the repository. This workflow only reads PR metadata via the
+# GitHub API, which is safe.
+
 on:
-  pull_request:
+  pull_request_target:
     types: [opened, synchronize, reopened]
   pull_request_review:
     types: [submitted, dismissed]
@@ -20,8 +30,8 @@ jobs:
   publish-approval-status:
     name: Set approval status
     runs-on: ubuntu-latest
-    if: ${{ github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork }}
 
+    # SECURITY: Do not add a checkout step to this job. See comment at the top of this file.
     steps:
       - name: Evaluate and publish approval status
         uses: actions/github-script@v7
@@ -42,7 +52,10 @@ jobs:
               const pr = context.payload.pull_request;
               targetSha = pr.head.sha;
 
-              if (pr.user.login !== "clockwork-labs-bot") {
+              if (pr.head.repo.fork) {
+                state = "success";
+                description = "Skipped for external PR";
+              } else if (pr.user.login !== "clockwork-labs-bot") {
                 state = "success";
                 description = "PR author is not clockwork-labs-bot";
               } else {