fix(security): explicit branch check on nightly workflow_run trigger

[anandray]

Add head_branch == 'develop' guard to the nightly workflow's init job. The branches: [develop] filter on the trigger already enforces this, but static analyzers (OSSF Scorecard's DangerousWorkflow rule) can't trace that — they see workflow_run + head_sha checkout + secrets: inherit and flag the pattern critical regardless of the trigger filter.

The explicit branch check ties the trust boundary to develop's branch protection (PR + code-owner review + required checks), which is the actual safety guarantee. All downstream jobs depend on init via needs:, so they inherit the gate without per-job changes.

Behavior is unchanged: workflow_run runs that wouldn't have fired under the trigger filter still don't fire. Manual workflow_dispatch remains unaffected.

Note: workflow_run triggers always execute the version of this file from main (per GitHub's rules), so this fix takes effect for runtime safety only after develop → main lands. The static-analysis finding (#760, alert #565) closes once the Scorecard scan re-runs against develop with this change.

Fixes #760

Summary

Type

Testing

• Tests added or updated
• Tested locally
• ./builder test passes

Checklist

• Commit messages follow conventional commits
• No secrets or credentials included
• Wiki updated (if applicable)
• Breaking changes documented (if applicable)

Linked Issue

Fixes #

Summary by CodeRabbit

• Chores
  • Strengthened nightly workflow gating with an explicit develop-branch guard and clearer conditional logic to limit privileged job execution.
  • Added inline documentation clarifying trust and supply-chain boundaries to improve CI reliability, security, and maintainability.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: d5789e33-380d-4294-ad06-1c35a3e73bcc

📥 Commits

Reviewing files that changed from the base of the PR and between a5f3976 and 46eefad.

📒 Files selected for processing (1)

• .github/workflows/nightly.yaml

---

📝 Walkthrough

Walkthrough

The nightly workflow's Init job if: was expanded into a multi-line guarded expression: allow manual workflow_dispatch only on refs/heads/develop, or for workflow_run triggers require workflow_run.conclusion == 'success' and workflow_run.head_branch == 'develop'. Detailed comments explaining the trust boundary were added.

Changes

Nightly Workflow Security Gating

Layer / File(s)	Summary
Conditional semantics .github/workflows/nightly.yaml	Replaced the prior one-line if with a multi-line if: that permits manual workflow_dispatch only on refs/heads/develop, or requires github.event.workflow_run.conclusion == 'success' and github.event.workflow_run.head_branch == 'develop' for automatic workflow_run triggers.
Comments / Rationale .github/workflows/nightly.yaml	Inserted extensive inline comments describing the trust/supply-chain boundary and rationale for requiring the triggering run's head_branch == 'develop' before granting secret-bearing, privileged job execution.
Formatting .github/workflows/nightly.yaml	Minor whitespace/position adjustments around the new if: block (no functional change beyond the condition and comments).

Sequence Diagram(s)

(No sequence diagram generated.)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• rocketride-org/rocketride-server#713: Similar change to nightly workflow gating requiring successful develop-branch workflow runs.
• rocketride-org/rocketride-server#631: Related adjustments to branch-based behavior for nightly runs in the workflow.

Suggested reviewers

• stepmikhaylov

Poem

🐰 I hopped through YAML, tidy and spry,
I fenced the run to branches we trust nearby.
Manual or develop — only those may play,
Comments like carrots show the careful way.
A merry little hop to keep secrets safe today.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding an explicit branch check to the nightly workflow's workflow_run trigger for security purposes.
Linked Issues check	✅ Passed	The changes directly address issue #760 by adding explicit head_branch == 'develop' guard and restricting manual dispatch to develop, satisfying the coding requirement to close the dangerous workflow pattern.
Out of Scope Changes check	✅ Passed	All changes are scoped to the nightly.yaml workflow file and directly support the security objective of binding privileged job execution to develop's branch protection.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/dangerous-workflow-760

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

No description provided.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/nightly.yaml:
- Around line 54-57: The workflow currently allows any manual dispatch via the
condition that checks github.event_name == 'workflow_dispatch' unconditionally;
tighten this by requiring the dispatch to target the develop branch as well —
i.e., change the first arm to require both github.event_name ==
'workflow_dispatch' AND github.ref == 'refs/heads/develop' (so use
(github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/develop')
|| ... ), updating the existing conditional around the workflow dispatch check
to restrict manual runs to refs/heads/develop.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 217f6636-8878-4083-b4b9-7fbc9ed4d7d3

📥 Commits

Reviewing files that changed from the base of the PR and between 0ae1811 and 47ebc5e.

📒 Files selected for processing (1)

• .github/workflows/nightly.yaml

[kwit75]

LGTM — straightforward defensive hardening. The explicit head_branch == 'develop' check makes the trust boundary visible to static analyzers (OSSF Scorecard's DangerousWorkflow rule) and ties privileged jobs (secrets: inherit, contents: write) explicitly to develop's branch protection (PR review + required checks). The trigger-level branches: [develop] filter already enforces this in practice, but having the check live in the job's if: means the rule survives any future trigger refactor.

No functional change — same workflow_run / workflow_dispatch matrix as before, just with the branch invariant restated at the job level.

Approving and merging — CI OK is green and #774 already landed, so the prerelease pipeline is back to working.