From c09a8723b43abe43cdb3478711a433bda11cd46e Mon Sep 17 00:00:00 2001
From: Lucas Meurer <hi@lucasmerlin.me>
Date: Tue, 17 Mar 2026 17:08:18 +0100
Subject: [PATCH] Fix vulnerability in the branch name check workflow (#7982)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Before, a crafted branch name could be used to exfiltrate the github
token and wreak havoc 😅
---
 .github/workflows/enforce_branch_name.yml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/enforce_branch_name.yml b/.github/workflows/enforce_branch_name.yml
index 8c2b28d37..b9df4030d 100644
--- a/.github/workflows/enforce_branch_name.yml
+++ b/.github/workflows/enforce_branch_name.yml
@@ -4,17 +4,23 @@ on:
   pull_request_target:
     types: [opened, reopened, synchronize]
 
+permissions:
+  issues: write
+
 jobs:
   check-source-branch:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
       - name: Check PR source branch
+        env:
+          IS_FORK: ${{ github.event.pull_request.head.repo.fork }}
+          HEAD_REF: ${{ github.event.pull_request.head.ref }}
         run: |
           # Check if PR is from a fork
-          if [[ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then
+          if [[ "$IS_FORK" == "true" ]]; then
             # Check if PR is from the master/main branch of a fork
-            if [[ "${{ github.event.pull_request.head.ref }}" == "master" || "${{ github.event.pull_request.head.ref }}" == "main" ]]; then
+            if [[ "$HEAD_REF" == "master" || "$HEAD_REF" == "main" ]]; then
               echo "ERROR: Pull requests from the master/main branch of forks are not allowed, because it prevents maintainers from contributing to your PR"
               echo "Please create a feature branch in your fork and submit the PR from that branch instead."
               exit 1