chore(ci): experiment hardening origin

heitorlessa · heitorlessa · commit 879fcbe8c4e2 · 2022-07-22T12:38:37.000+02:00
diff --git a/.github/workflows/label_pr_on_title.yml b/.github/workflows/label_pr_on_title.yml
@@ -14,6 +14,7 @@ jobs:
     uses: ./.github/workflows/reusable_export_pr_details.yml
     with:
       record_pr_workflow_id: ${{ github.event.workflow_run.id }}
+      workflow_origin: ${{ github.event.repository.full_name }}
     secrets:
       token: ${{ secrets.GITHUB_TOKEN }}
   label_pr:
diff --git a/.github/workflows/on_merged_pr.yml b/.github/workflows/on_merged_pr.yml
@@ -12,6 +12,7 @@ jobs:
     uses: ./.github/workflows/reusable_export_pr_details.yml
     with:
       record_pr_workflow_id: ${{ github.event.workflow_run.id }}
+      workflow_origin: ${{ github.event.repository.full_name }}
     secrets:
       token: ${{ secrets.GITHUB_TOKEN }}
   release_label_on_merge:
diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml
@@ -10,8 +10,10 @@ jobs:
   get_pr_details:
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     uses: ./.github/workflows/reusable_export_pr_details.yml
+    env:
     with:
       record_pr_workflow_id: ${{ github.event.workflow_run.id }}
+      workflow_origin: ${{ github.event.repository.full_name }}
     secrets:
       token: ${{ secrets.GITHUB_TOKEN }}
   check_related_issue:
diff --git a/.github/workflows/reusable_export_pr_details.yml b/.github/workflows/reusable_export_pr_details.yml
@@ -6,6 +6,11 @@ on:
       record_pr_workflow_id:
         required: true
         type: number
+      # this protects from anyone mimicking "Record PR details" dependency
+      # regardless of our untrusted input validation
+      workflow_origin:
+        required: true
+        type: string
     secrets:
       token:
         required: true
@@ -32,6 +37,7 @@ on:
 
 jobs:
   export_pr_details:
+    if: inputs.workflow_origin == "bla/bla"
     runs-on: ubuntu-latest
     env:
       FILENAME: pr.txt
