security: gate pr-triage secrets on same-repository pull_request_target

DVHRMNTCBSL · DVHRMNTCBSL · commit 7ec1ef0bd145 · 2026-06-10T01:51:26.000-03:00
diff --git a/.github/workflows/pr-triage.yml b/.github/workflows/pr-triage.yml
@@ -12,7 +12,11 @@ on:
 
 jobs:
   agent-triage-pull-request:
-    if: github.event_name == 'workflow_dispatch' || !contains(github.event.pull_request.labels.*.name, 'google-contributor')
+    if: >-
+      github.event_name == 'workflow_dispatch' || (
+        github.event.pull_request.head.repo.full_name == github.repository &&
+        !contains(github.event.pull_request.labels.*.name, 'google-contributor')
+      )
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
