Change default fork behavior for pull_request triggers to deny-by-default#2970
Change default fork behavior for pull_request triggers to deny-by-default#2970
Conversation
…all by default - Modified applyPullRequestForkFilter to apply fork filtering by default when no forks field is specified - When forks field is not present, only same-repo PRs are allowed (disallow all forks by default) - Users must explicitly specify forks: ["*"] to allow all forks - Updated JSON schema to document the forks, draft, and names custom fields - Added test case for default fork filtering behavior - All existing tests continue to pass Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
@copilot use repository id instead of full name |
- Updated BuildNotFromFork() to compare github.event.pull_request.head.repo.id with github.repository_id - Changed from full_name comparison to repository ID comparison for more reliable matching - Repository ID is not affected by repository renames - Updated all test expectations to use repository_id instead of full_name - All tests pass including agent-finish Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Updated to use Commit: 7e306f0 |
There was a problem hiding this comment.
Pull Request Overview
This PR changes the fork detection mechanism from repository name comparison to repository ID comparison for improved reliability, and updates the default behavior to disallow forked PRs when no explicit fork configuration is provided.
- Updates fork detection to use repository ID (
github.repository_id) instead of full name (github.repository) for more reliable matching - Changes default behavior to disallow all forked PRs when the
forksfield is not specified - Updates all generated workflow files and tests to reflect the new fork detection approach
Reviewed Changes
Copilot reviewed 22 out of 22 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/expressions.go | Updated BuildNotFromFork() to use repository ID comparison instead of full name |
| pkg/workflow/filters.go | Modified default fork filter behavior to explicitly disallow forks when no forks field is specified |
| pkg/workflow/expressions_test.go | Updated test expectations to validate repository ID comparison |
| pkg/workflow/compiler_test.go | Added test case for default fork behavior and updated existing test expectations |
| .github/workflows/*.lock.yml | Regenerated workflow files with updated fork detection conditions using repository ID |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Update instructions file with fork security feature introduced in v0.27.0. ## Changes Made - Added `forks:` field documentation to frontmatter schema section - Added "Fork Security for Pull Requests" section under Trigger Patterns with examples - Added "Fork Security" subsection to Security Considerations - Updated pull_request trigger example to show forks field usage ## Documentation Commits Reviewed - 48f19e3 Change default fork behavior for pull_request triggers to deny-by-default (#2970) ## Key Feature Pull request workflows now block forks by default unless explicitly allowed via `forks` field: - Default behavior: same-repo PRs only (forks blocked) - Explicit opt-in: use `forks: ["*"]` for all forks or patterns like `["org/*"]` - Security improvement: deny-by-default protects against untrusted fork execution 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Pull request workflows now block forks by default unless explicitly allowed via
forksfield. Previously, omitting theforksfield allowed all forks to trigger workflows.Changes
pkg/workflow/filters.go: ModifiedapplyPullRequestForkFilter()to treat missingforksfield as empty array (same-repo PRs only)pkg/workflow/expressions.go: UpdatedBuildNotFromFork()to use repository ID comparison instead of full_name for more reliable fork detectionpkg/workflow/compiler_test.go: Added test case validating default fork filtering behavior and updated test expectationspkg/workflow/expressions_test.go: Updated test expectations to use repository IDpkg/workflow/schemas/github-workflow.json: Documentedforks,draft, andnamescustom fieldsBehavior
Generated Condition
Workflows without
forksfield now generate:Uses repository ID comparison instead of full_name for more reliable matching that is not affected by repository renames. This is consistent with the approach used for workflow_run repository safety checks.
Existing workflows using
forksfield are unaffected.Original prompt
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.