From 76ed964d4357f3f16bbe443013a59c4c38967686 Mon Sep 17 00:00:00 2001
From: aeonframework <noreply@aeonframework.com>
Date: Thu, 4 Jun 2026 07:33:41 +0000
Subject: [PATCH] fix(security): make same-repo gate on claude-auto-fix-ci.yml
 explicit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

workflow_run + checkout of github.event.workflow_run.head_branch + bun
install runs in a base-repo context with access to repository secrets
(CLAUDE_CODE_OAUTH_TOKEN, SUPERMEMORY_API_KEY, write-scoped GITHUB_TOKEN)
— the canonical "pwn request" pattern. Today the implicit
pull_requests[0] gate happens to skip fork PRs (documented but
non-contractual GitHub behavior), but the security boundary should be
visible in the workflow file. Add an explicit
head_repository.full_name == repository.full_name check plus an inline
comment so the gate isn't accidentally removed by a future editor.

Detected by Aeon + Semgrep p/security-audit
(yaml.github-actions.security.workflow-run-target-code-checkout).
Severity: medium · CWE-913
---
 .github/workflows/claude-auto-fix-ci.yml | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/claude-auto-fix-ci.yml b/.github/workflows/claude-auto-fix-ci.yml
index 993545c6a..ec918c519 100644
--- a/.github/workflows/claude-auto-fix-ci.yml
+++ b/.github/workflows/claude-auto-fix-ci.yml
@@ -15,9 +15,19 @@ permissions:
 
 jobs:
   auto-fix:
+    # Only run when the failing CI run came from a PR pushed to a branch in
+    # *this* repository. workflow_run executes in the base-repo context with
+    # access to repository secrets (CLAUDE_CODE_OAUTH_TOKEN, SUPERMEMORY_API_KEY,
+    # write-scoped GITHUB_TOKEN); checking out arbitrary PR code in that context
+    # is the canonical "pwn request" pattern. github.event.workflow_run.pull_requests
+    # is documented to be empty for fork PRs, but we add an explicit
+    # head_repository == repository check so the security intent is visible in
+    # the workflow file and not dependent on an implicit GitHub-side guarantee.
+    # See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
     if: |
       github.event.workflow_run.conclusion == 'failure' &&
-      github.event.workflow_run.pull_requests[0]
+      github.event.workflow_run.pull_requests[0] &&
+      github.event.workflow_run.head_repository.full_name == github.event.workflow_run.repository.full_name
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code