From 8ad70fb6a3522382d4d3b9b5e66ca37f18fac39a Mon Sep 17 00:00:00 2001
From: Molecule AI Infra-Runtime-BE <infra-runtime-be@agents.moleculesai.app>
Date: Mon, 11 May 2026 19:34:31 +0000
Subject: [PATCH] fix(ci): revert gate-check-v3 to base.ref checkout
 (internal#116 footgun)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

pull_request_target runs under the repo's secrets context. Checking out
an untrusted PR HEAD under that context is a known footgun: a malicious
PR author could inject arbitrary code into the checked-out tree and the
workflow would execute it with elevated token access.

Reverts the checkout from head.sha back to base.ref. The base branch is
a trusted commit — an external actor cannot modify it.

Trade-off: script changes in the PR branch (e.g. self-loop exclusion in
signal_6_ci) won't take effect until they land on main. That is an
acceptable false-positive window vs. the attack surface of running
untrusted code under a privileged token.

Fixes: internal#116 (security footgun reported by hongming-pc2)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/gate-check-v3.yml | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/.gitea/workflows/gate-check-v3.yml b/.gitea/workflows/gate-check-v3.yml
index 5dad2701..38f9c1e5 100644
--- a/.gitea/workflows/gate-check-v3.yml
+++ b/.gitea/workflows/gate-check-v3.yml
@@ -40,16 +40,21 @@ jobs:
     runs-on: ubuntu-latest
     continue-on-error: true  # Never block on our own detector failing
     steps:
-      - name: Check out PR branch (head) for the script
-        # NOTE: we intentionally check out the HEAD/PR branch here — not the base.
-        # This is required so that script fixes in PR branches (e.g. the self-loop
-        # exclusion in signal_6_ci) are actually used when evaluating that PR.
-        # Security: this job runs with continue-on-error: true and does not
-        # execute arbitrary PR code — it only runs the gate-check script which
-        # is read-only (API reads + JSON stdout).
+      - name: Check out base branch (trusted ref)
+        # Reverted from head.sha (PR #547 Bug-2 fix).
+        # pull_request_target runs under the repo's secrets context. Checking out
+        # an untrusted PR HEAD under that context is a known footgun (internal#116):
+        # a malicious PR author could inject arbitrary code into the checked-out
+        # tree and the workflow would execute it with elevated token access.
+        # Fix: always run the gate-check script from the PR's base branch — a
+        # trusted commit that an external actor cannot modify.
+        # Trade-off: script changes in the PR branch (e.g. self-loop exclusion in
+        # signal_6_ci) won't take effect until they land on main. That is an
+        # acceptable false-positive window vs. the attack surface of running
+        # untrusted code under a privileged token.
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
-          ref: ${{ github.event.pull_request.head.sha }}
+          ref: ${{ github.event.pull_request.base.ref }}
 
       - name: Run gate-check-v3 (single PR mode)
         if: github.event_name == 'pull_request_target' || github.event.inputs.pr_number != ''
-- 
2.45.2