Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions .github/workflows/pr.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,10 @@ jobs:
persist-credentials: false

- name: Fetch trusted configuration files from main branch
# Skip for Dependabot — its package-version bumps to protected files (e.g.
# Directory.Build.props) are legitimate and should not be overwritten by main's
# older versions. Dependabot's identity is GitHub-controlled and not spoofable.
if: github.event.pull_request.user.login != 'dependabot[bot]'
run: |
echo "Fetching configuration files from main branch to prevent malicious overrides..."

Expand Down Expand Up @@ -120,6 +124,11 @@ jobs:
echo "✅ Configuration files secured - using versions from main branch"

- name: Detect protected configuration file changes
# Skip for Dependabot — its bumps to protected files (e.g. Directory.Build.props)
# are legitimate. The guard's threat model is human PR authors disabling analyzers
# in their own PRs; it does not apply to a trusted GitHub-controlled bot whose
# only action is package-version updates.
if: github.event.pull_request.user.login != 'dependabot[bot]'
run: |
echo "Checking for changes to protected configuration files in this PR..."

Expand Down Expand Up @@ -201,6 +210,10 @@ jobs:
persist-credentials: false

- name: Fetch trusted configuration files from main branch
# Skip for Dependabot — its package-version bumps to protected files (e.g.
# Directory.Build.props) are legitimate and should not be overwritten by main's
# older versions. Dependabot's identity is GitHub-controlled and not spoofable.
if: github.event.pull_request.user.login != 'dependabot[bot]'
run: |
echo "Fetching configuration files from main branch to prevent malicious overrides..."

Expand Down Expand Up @@ -244,6 +257,10 @@ jobs:
echo "✅ Configuration files secured - using versions from main branch"

- name: Fetch trusted configuration files from main branch
# Skip for Dependabot — its package-version bumps to protected files (e.g.
# Directory.Build.props) are legitimate and should not be overwritten by main's
# older versions. Dependabot's identity is GitHub-controlled and not spoofable.
if: github.event.pull_request.user.login != 'dependabot[bot]'
run: |
echo "Fetching configuration files from main branch to prevent malicious overrides..."

Expand Down Expand Up @@ -572,6 +589,10 @@ jobs:

- name: Fetch trusted configuration files from main branch
shell: pwsh
# Skip for Dependabot — its package-version bumps to protected files (e.g.
# Directory.Build.props) are legitimate and should not be overwritten by main's
# older versions. Dependabot's identity is GitHub-controlled and not spoofable.
if: github.event.pull_request.user.login != 'dependabot[bot]'
run: |
Write-Host "Fetching configuration files from main branch to prevent malicious overrides..."

Expand Down Expand Up @@ -617,6 +638,10 @@ jobs:

- name: Fetch trusted configuration files from main branch
shell: pwsh
# Skip for Dependabot — its package-version bumps to protected files (e.g.
# Directory.Build.props) are legitimate and should not be overwritten by main's
# older versions. Dependabot's identity is GitHub-controlled and not spoofable.
if: github.event.pull_request.user.login != 'dependabot[bot]'
run: |
Write-Host "Fetching configuration files from main branch to prevent malicious overrides..."

Expand Down Expand Up @@ -861,6 +886,10 @@ jobs:
persist-credentials: false

- name: Fetch trusted configuration files from main branch
# Skip for Dependabot — its package-version bumps to protected files (e.g.
# Directory.Build.props) are legitimate and should not be overwritten by main's
# older versions. Dependabot's identity is GitHub-controlled and not spoofable.
if: github.event.pull_request.user.login != 'dependabot[bot]'
run: |
echo "Fetching configuration files from main branch to prevent malicious overrides..."

Expand Down Expand Up @@ -904,6 +933,10 @@ jobs:
echo "✅ Configuration files secured - using versions from main branch"

- name: Fetch trusted configuration files from main branch
# Skip for Dependabot — its package-version bumps to protected files (e.g.
# Directory.Build.props) are legitimate and should not be overwritten by main's
# older versions. Dependabot's identity is GitHub-controlled and not spoofable.
if: github.event.pull_request.user.login != 'dependabot[bot]'
run: |
echo "Fetching configuration files from main branch to prevent malicious overrides..."

Expand Down Expand Up @@ -1231,6 +1264,10 @@ jobs:
persist-credentials: false

- name: Fetch trusted configuration files from main branch
# Skip for Dependabot — its package-version bumps to protected files (e.g.
# Directory.Build.props) are legitimate and should not be overwritten by main's
# older versions. Dependabot's identity is GitHub-controlled and not spoofable.
if: github.event.pull_request.user.login != 'dependabot[bot]'
run: |
echo "Fetching configuration files from main branch to prevent malicious overrides..."

Expand Down Expand Up @@ -1274,6 +1311,10 @@ jobs:
echo "✅ Configuration files secured - using versions from main branch"

- name: Fetch trusted configuration files from main branch
# Skip for Dependabot — its package-version bumps to protected files (e.g.
# Directory.Build.props) are legitimate and should not be overwritten by main's
# older versions. Dependabot's identity is GitHub-controlled and not spoofable.
if: github.event.pull_request.user.login != 'dependabot[bot]'
run: |
echo "Fetching configuration files from main branch to prevent malicious overrides..."

Expand Down
Loading