chained_e2e.yml runs on workflow_run and consumes the repo_name artifact uploaded by trigger_e2e.yml (which runs on pull_request, forks included). download_repo_name doesn't currently verify that the run which produced the artifact came from this repository, so the downstream E2E jobs can take their checkout repository/ref from artifact contents that didn't necessarily originate from google-gemini/gemini-cli.
The fix is to validate the origin before consuming the artifact: gate download_repo_name on github.event.workflow_run.head_repository.full_name == github.repository, so a non-base-repo run falls back to the base repo/sha. If preserving E2E coverage for fork PRs matters, a maintainer-applied label gate is an alternative.
Implemented in #27753 (one file, ~16 lines).
Keeping the specifics light here since it's public; this came out of a Google OSS-VRP report and I'm happy to share full detail privately.
chained_e2e.yml runs on workflow_run and consumes the repo_name artifact uploaded by trigger_e2e.yml (which runs on pull_request, forks included). download_repo_name doesn't currently verify that the run which produced the artifact came from this repository, so the downstream E2E jobs can take their checkout repository/ref from artifact contents that didn't necessarily originate from google-gemini/gemini-cli.
The fix is to validate the origin before consuming the artifact: gate download_repo_name on
github.event.workflow_run.head_repository.full_name == github.repository, so a non-base-repo run falls back to the base repo/sha. If preserving E2E coverage for fork PRs matters, a maintainer-applied label gate is an alternative.Implemented in #27753 (one file, ~16 lines).
Keeping the specifics light here since it's public; this came out of a Google OSS-VRP report and I'm happy to share full detail privately.