fix(security): explicit branch check on nightly workflow_run trigger

anandray · anandray · commit a5f3976e8ff1 · 2026-05-06T17:23:25.000-07:00
Add `head_branch == 'develop'` guard to the nightly workflow's init job. The `branches: [develop]` filter on the trigger already enforces this, but static analyzers (OSSF Scorecard's DangerousWorkflow rule) can't trace that — they see workflow_run + head_sha checkout + secrets: inherit and flag the pattern critical regardless of the trigger filter. The explicit branch check ties the trust boundary to develop's branch protection (PR + code-owner review + required checks), which is the actual safety guarantee. All downstream jobs depend on init via needs:, so they inherit the gate without per-job changes. Behavior is unchanged: workflow_run runs that wouldn't have fired under the trigger filter still don't fire. Manual workflow_dispatch remains unaffected. Note: `workflow_run` triggers always execute the version of this file from main (per GitHub's rules), so this fix takes effect for runtime safety only after develop → main lands. The static-analysis finding (#760, alert #565) closes once the Scorecard scan re-runs against develop with this change. Fixes #760
diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml
@@ -47,7 +47,23 @@ jobs:
   init:
     name: Initialize
     # Skip when CI failed; manual dispatch always runs.
-    if: github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success'
+    #
+    # The `head_branch == 'develop'` guard makes explicit what the
+    # `branches: [develop]` filter on the trigger already enforces:
+    # this workflow runs privileged jobs (secrets: inherit, contents:
+    # write) on the head_sha of the triggering CI run. Static analyzers
+    # (e.g. OSSF Scorecard's DangerousWorkflow rule) flag workflow_run
+    # patterns that checkout `head_sha` without a branch check, since
+    # in principle workflow_run can be triggered by CI runs on any
+    # branch and a checkout of an untrusted ref with secrets is the
+    # canonical supply-chain attack vector. The explicit branch check
+    # below ties the trust boundary to develop's branch protection
+    # (PR + code-owner review + required checks), which is the actual
+    # safety guarantee.
+    if: >
+      github.event_name == 'workflow_dispatch' ||
+      (github.event.workflow_run.conclusion == 'success' &&
+       github.event.workflow_run.head_branch == 'develop')
     uses: ./.github/workflows/_init.yaml
     with:
       # `head_sha` pins the build to the exact commit whose CI passed,
