Skip to content

Validate workflow_run origin in chained_e2e before using the repo_name artifact #27940

Description

@adilburaksen

chained_e2e.yml runs on workflow_run and consumes the repo_name artifact uploaded by trigger_e2e.yml (which runs on pull_request, forks included). download_repo_name doesn't currently verify that the run which produced the artifact came from this repository, so the downstream E2E jobs can take their checkout repository/ref from artifact contents that didn't necessarily originate from google-gemini/gemini-cli.

The fix is to validate the origin before consuming the artifact: gate download_repo_name on github.event.workflow_run.head_repository.full_name == github.repository, so a non-base-repo run falls back to the base repo/sha. If preserving E2E coverage for fork PRs matters, a maintainer-applied label gate is an alternative.

Implemented in #27753 (one file, ~16 lines).

Keeping the specifics light here since it's public; this came out of a Google OSS-VRP report and I'm happy to share full detail privately.

Metadata

Metadata

Assignees

No one assigned

    Type

    Fields

    No fields configured for Bug.

    Projects

    Status
    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions