fix: add approval gate to call-check-tflite-files job

q1uf3ng · q1uf3ng · commit 7f42e573f18a · 2026-05-08T13:58:41.000+08:00
The call-check-tflite-files job in pr_test.yml is missing the
needs: [gatekeeper, approval-gate] dependency that all other jobs
have. This allows fork PRs to execute arbitrary code via the checked-out
shell script without waiting for approval, bypassing the security gate.

BUG=n/a
diff --git a/.github/workflows/pr_test.yml b/.github/workflows/pr_test.yml
@@ -64,6 +64,8 @@ jobs:
         run: echo "CI Authorized."
 
   call-check-tflite-files:
+    needs: [gatekeeper, approval-gate]
+    if: needs.gatekeeper.outputs.scope != 'none'
     uses: ./.github/workflows/check_tflite_files.yml
     with:
       trigger-sha: ${{ github.event.pull_request.head.sha }}
