@@ -63,10 +63,20 @@ jobs:
6363 mkdir -p "$RUNNER_TEMP/pr-triage-trusted"
6464 cp -r .github/scripts/pr-triage/. "$RUNNER_TEMP/pr-triage-trusted/"
6565
66- name : Check out PR
66+ name : Check out PR into subdirectory
6767 env :
6868 GH_TOKEN : ${{ github.token }}
69- run : gh pr checkout "$PR_NUMBER"
69+ run : |
70+ # Place the PR working tree at $RUNNER_TEMP/pr-tree, NOT at
71+ # $GITHUB_WORKSPACE. This keeps $GITHUB_WORKSPACE pointing at
72+ # the trusted default-branch checkout so that any tool whose
73+ # cwd defaults to the workspace cannot accidentally execute
74+ # PR-controlled code. Worker steps that run on the PR tree
75+ # use `working-directory: ${{ runner.temp }}/pr-tree`.
76+ git clone --no-local --quiet "$GITHUB_WORKSPACE" "$RUNNER_TEMP/pr-tree"
77+ cd "$RUNNER_TEMP/pr-tree"
78+ git remote set-url origin "https://github.com/${{ github.repository }}.git"
79+ gh pr checkout "$PR_NUMBER"
7080
7181name : Set up JDK for running Gradle
7282 uses : actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
8494
8595 - name : Run gradle-phase worker
8696 id : run
97+ working-directory : ${{ runner.temp }}/pr-tree
8798 env :
8899 GH_TOKEN : ${{ github.token }}
89- PR_TRIAGE_REPO_ROOT : ${{ github.workspace }}
100+ PR_TRIAGE_REPO_ROOT : ${{ runner.temp }}/pr-tree
90101 run : |
91102 mkdir -p "$RUNNER_TEMP/work"
92103 # Ensure the artifact has at least one file so upload/download
@@ -130,10 +141,18 @@ jobs:
130141 mkdir -p "$RUNNER_TEMP/pr-triage-trusted"
131142 cp -r .github/scripts/pr-triage/. "$RUNNER_TEMP/pr-triage-trusted/"
132143
133- name : Check out PR
144+ name : Check out PR into subdirectory
134145 env :
135146 GH_TOKEN : ${{ github.token }}
136- run : gh pr checkout "$PR_NUMBER"
147+ run : |
148+ # Place the PR working tree at $RUNNER_TEMP/pr-tree, NOT at
149+ # $GITHUB_WORKSPACE. This keeps $GITHUB_WORKSPACE pointing at
150+ # the trusted default-branch checkout. Worker steps that run
151+ # on the PR tree use `working-directory: ${{ runner.temp }}/pr-tree`.
152+ git clone --no-local --quiet "$GITHUB_WORKSPACE" "$RUNNER_TEMP/pr-tree"
153+ cd "$RUNNER_TEMP/pr-tree"
154+ git remote set-url origin "https://github.com/${{ github.repository }}.git"
155+ gh pr checkout "$PR_NUMBER"
137156
138157name : Install Copilot CLI
139158 run : npm install -g @github/copilot@1.0.40
@@ -147,25 +166,27 @@ jobs:
147166
148167 - name : Run copilot-phase worker (review)
149168 if : needs.authorize-command.outputs.command == 'review'
169+ working-directory : ${{ runner.temp }}/pr-tree
150170 env :
151171 # GITHUB_TOKEN is also set so Copilot CLI's `gh` subprocesses use the
152172 # read-only job token rather than falling back to the privileged
153173 # COPILOT_GITHUB_TOKEN. Copilot CLI scrubs both names from the
154174 # environment of the children it spawns.
155175 GH_TOKEN : ${{ github.token }}
156176 COPILOT_GITHUB_TOKEN : ${{ secrets.COPILOT_GITHUB_TOKEN }}
157- PR_TRIAGE_REPO_ROOT : ${{ github.workspace }}
177+ PR_TRIAGE_REPO_ROOT : ${{ runner.temp }}/pr-tree
158178 run : |
159179 mkdir -p "$RUNNER_TEMP/work"
160180 touch "$RUNNER_TEMP/work/.placeholder"
161181 python3 "$RUNNER_TEMP/pr-triage-trusted/worker_copilot.py" --out-dir "$RUNNER_TEMP/work"
162182
163183name : Run copilot-phase worker (fix)
164184 if : needs.authorize-command.outputs.command == 'fix'
185+ working-directory : ${{ runner.temp }}/pr-tree
165186 env :
166187 GH_TOKEN : ${{ github.token }}
167188 COPILOT_GITHUB_TOKEN : ${{ secrets.COPILOT_GITHUB_TOKEN }}
168- PR_TRIAGE_REPO_ROOT : ${{ github.workspace }}
189+ PR_TRIAGE_REPO_ROOT : ${{ runner.temp }}/pr-tree
169190 run : |
170191 mkdir -p "$RUNNER_TEMP/work"
171192 touch "$RUNNER_TEMP/work/.placeholder"
0 commit comments