update gha file to mitigate Fork Network Manipulation vuln (#981)

amold1 · web-flow · commit f7c750e15b59 · 2025-12-19T10:59:02.000-05:00
diff --git a/.github/workflows/build_test_ci.yml b/.github/workflows/build_test_ci.yml
@@ -40,7 +40,7 @@ jobs:
           filters: .github/filters.yml
 
   go-test:
-    environment: ${{ github.event.pull_request.head.repo.fork == true && 'prod-external' || 'prod' }}
+    environment: ${{ (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository) && 'prod-external' || 'prod' }}
     runs-on: ubuntu-latest
     needs: changes
     if: ${{ contains(fromJSON(needs.changes.outputs.paths), 'src') }}
@@ -100,6 +100,6 @@ jobs:
     uses: ./.github/workflows/e2e-test.yaml
     secrets: inherit
     with:
-      environment: ${{ github.event.pull_request.head.repo.fork == true && 'prod-external' || 'prod' }}
+      environment: ${{ (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository) && 'prod-external' || 'prod' }}
       e2e-selector: ${{ matrix.flavor }}
       e2e-flags: ${{ matrix.flavor == 'quick' && ''  || '--assert-timeout 20m0s'}}
