.gitea/workflows/gate-check-v3.yml

@@ -40,16 +40,21 @@ jobs:
     runs-on: ubuntu-latest
     continue-on-error: true  # Never block on our own detector failing
     steps:
-      - name: Check out PR branch (head) for the script
-        # NOTE: we intentionally check out the HEAD/PR branch here — not the base.
-        # This is required so that script fixes in PR branches (e.g. the self-loop
-        # exclusion in signal_6_ci) are actually used when evaluating that PR.
-        # Security: this job runs with continue-on-error: true and does not
-        # execute arbitrary PR code — it only runs the gate-check script which
-        # is read-only (API reads + JSON stdout).
+      - name: Check out base branch (trusted ref)
+        # Reverted from head.sha (PR #547 Bug-2 fix).
+        # pull_request_target runs under the repo's secrets context. Checking out
+        # an untrusted PR HEAD under that context is a known footgun (internal#116):
+        # a malicious PR author could inject arbitrary code into the checked-out
+        # tree and the workflow would execute it with elevated token access.
+        # Fix: always run the gate-check script from the PR's base branch — a
+        # trusted commit that an external actor cannot modify.
+        # Trade-off: script changes in the PR branch (e.g. self-loop exclusion in
+        # signal_6_ci) won't take effect until they land on main. That is an
+        # acceptable false-positive window vs. the attack surface of running
+        # untrusted code under a privileged token.
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
-          ref: ${{ github.event.pull_request.head.sha }}
+          ref: ${{ github.event.pull_request.base.ref }}
 
       - name: Run gate-check-v3 (single PR mode)
         if: github.event_name == 'pull_request_target' || github.event.inputs.pr_number != ''