From 99f01f565a607a8f30cb88a953f4d220a8a992b0 Mon Sep 17 00:00:00 2001
From: Keshav Malik <33570148+theinfosecguy@users.noreply.github.com>
Date: Fri, 27 Mar 2026 13:24:08 +0530
Subject: [PATCH] Harden PR assignment against fork artifact input.

Restrict dependency artifact generation and downstream reviewer assignment to same-repository pull requests so privileged workflow_run jobs cannot consume artifacts from fork PR code.

Made-with: Cursor
---
 .github/workflows/PR-assignment-deps.yml | 1 +
 .github/workflows/PR-assignment.yml      | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/PR-assignment-deps.yml b/.github/workflows/PR-assignment-deps.yml
index 587555b705c..3b0cf875270 100644
--- a/.github/workflows/PR-assignment-deps.yml
+++ b/.github/workflows/PR-assignment-deps.yml
@@ -6,6 +6,7 @@ permissions:
   contents: read
 jobs:
   generate_deps:
+    if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
     name: Generate dependencies.json
     runs-on: ubuntu-latest
 
diff --git a/.github/workflows/PR-assignment.yml b/.github/workflows/PR-assignment.yml
index 1a40f30abc0..a8d661ed505 100644
--- a/.github/workflows/PR-assignment.yml
+++ b/.github/workflows/PR-assignment.yml
@@ -7,7 +7,7 @@ on:
       - completed
 jobs:
   assign_reviewers:
-    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.head_repository.full_name == github.repository }}
     name: Assign reviewers
     runs-on: ubuntu-latest