Skip to content

Change default fork behavior for pull_request triggers to deny-by-default#2970

Merged
pelikhan merged 3 commits intomainfrom
copilot/update-forks-default-behavior
Nov 2, 2025
Merged

Change default fork behavior for pull_request triggers to deny-by-default#2970
pelikhan merged 3 commits intomainfrom
copilot/update-forks-default-behavior

Conversation

Copy link
Contributor

Copilot AI commented Nov 2, 2025
edited
Loading

Pull request workflows now block forks by default unless explicitly allowed via forks field. Previously, omitting the forks field allowed all forks to trigger workflows.

Changes

  • pkg/workflow/filters.go: Modified applyPullRequestForkFilter() to treat missing forks field as empty array (same-repo PRs only)
  • pkg/workflow/expressions.go: Updated BuildNotFromFork() to use repository ID comparison instead of full_name for more reliable fork detection
  • pkg/workflow/compiler_test.go: Added test case validating default fork filtering behavior and updated test expectations
  • pkg/workflow/expressions_test.go: Updated test expectations to use repository ID
  • pkg/workflow/schemas/github-workflow.json: Documented forks, draft, and names custom fields

Behavior

# Before: allowed all forks
# After: blocks all forks (same-repo PRs only)
on:
  pull_request:
    types: [opened]

# Explicit opt-in required for forks
on:
  pull_request:
    types: [opened]
    forks: ["*"]              # Allow all
    # or
    forks: ["trusted-org/*"]  # Allow specific patterns

Generated Condition

Workflows without forks field now generate:

if: (github.event_name != 'pull_request') || 
    (github.event.pull_request.head.repo.id == github.repository_id)

Uses repository ID comparison instead of full_name for more reliable matching that is not affected by repository renames. This is consistent with the approach used for workflow_run repository safety checks.

Existing workflows using forks field are unaffected.

Original prompt

Change the default behavior of "forks" for pull request events to disallow them all by default.

Update schema and compiler.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@pelikhan
Change default behavior of forks for pull_request events to disallow …
f5cd401 
…all by default

- Modified applyPullRequestForkFilter to apply fork filtering by default when no forks field is specified
- When forks field is not present, only same-repo PRs are allowed (disallow all forks by default)
- Users must explicitly specify forks: ["*"] to allow all forks
- Updated JSON schema to document the forks, draft, and names custom fields
- Added test case for default fork filtering behavior
- All existing tests continue to pass

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Change default behavior of forks in pull request events Change default fork behavior for pull_request triggers to deny-by-default Nov 2, 2025
Copilot AI requested a review from pelikhan November 2, 2025 03:25
@pelikhan
Copy link
Contributor

pelikhan commented Nov 2, 2025

@copilot use repository id instead of full name

@pelikhan
Use repository ID instead of full_name for fork filtering
7e306f0 
- Updated BuildNotFromFork() to compare github.event.pull_request.head.repo.id with github.repository_id
- Changed from full_name comparison to repository ID comparison for more reliable matching
- Repository ID is not affected by repository renames
- Updated all test expectations to use repository_id instead of full_name
- All tests pass including agent-finish

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Nov 2, 2025

@copilot use repository id instead of full name

Updated to use github.event.pull_request.head.repo.id == github.repository_id instead of full_name comparison. This provides more reliable fork detection that isn't affected by repository renames, consistent with the workflow_run repository safety checks.

Commit: 7e306f0

@pelikhan pelikhan marked this pull request as ready for review November 2, 2025 04:46
Copilot AI review requested due to automatic review settings November 2, 2025 04:46
@pelikhan pelikhan enabled auto-merge (squash) November 2, 2025 04:47
@pelikhan pelikhan merged commit 48f19e3 into main Nov 2, 2025
48 checks passed
@pelikhan pelikhan deleted the copilot/update-forks-default-behavior branch November 2, 2025 04:48
Copilot AI reviewed Nov 2, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR changes the fork detection mechanism from repository name comparison to repository ID comparison for improved reliability, and updates the default behavior to disallow forked PRs when no explicit fork configuration is provided.

  • Updates fork detection to use repository ID (github.repository_id) instead of full name (github.repository) for more reliable matching
  • Changes default behavior to disallow all forked PRs when the forks field is not specified
  • Updates all generated workflow files and tests to reflect the new fork detection approach

Reviewed Changes

Copilot reviewed 22 out of 22 changed files in this pull request and generated no comments.

Show a summary per file
File Description
pkg/workflow/expressions.go Updated BuildNotFromFork() to use repository ID comparison instead of full name
pkg/workflow/filters.go Modified default fork filter behavior to explicitly disallow forks when no forks field is specified
pkg/workflow/expressions_test.go Updated test expectations to validate repository ID comparison
pkg/workflow/compiler_test.go Added test case for default fork behavior and updated existing test expectations
.github/workflows/*.lock.yml Regenerated workflow files with updated fork detection conditions using repository ID

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

This was referenced Nov 2, 2025
Merged
Closed
Closed
github-actions bot added a commit that referenced this pull request Nov 2, 2025
@github-actions @claude
Sync github-agentic-workflows.instructions.md with v0.27.0
6970909 
Update instructions file with fork security feature introduced in v0.27.0.

## Changes Made

- Added `forks:` field documentation to frontmatter schema section
- Added "Fork Security for Pull Requests" section under Trigger Patterns with examples
- Added "Fork Security" subsection to Security Considerations
- Updated pull_request trigger example to show forks field usage

## Documentation Commits Reviewed

- 48f19e3 Change default fork behavior for pull_request triggers to deny-by-default (#2970)

## Key Feature

Pull request workflows now block forks by default unless explicitly allowed via `forks` field:
- Default behavior: same-repo PRs only (forks blocked)
- Explicit opt-in: use `forks: ["*"]` for all forks or patterns like `["org/*"]`
- Security improvement: deny-by-default protects against untrusted fork execution

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@github-actions github-actions bot mentioned this pull request Nov 2, 2025
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan