security: Add repository and branch validation for workflow_run triggers

- Validate workflow_run is from same repository (not a fork)
- Validate branch is in allowed list (main/develop)
- Validate SHA format before use
- Addresses Kusari security concerns about workflow_run triggers
- Maintains workflow chaining while adding security checks

Author: Zohayb Bhatti

.github/workflows/build-binaries.yml

@@ -39,16 +39,34 @@ jobs:
             arch: amd64
             output: github-repo-windows-amd64.exe
     steps:
-      - name: Check if lint workflow passed
+      - name: Validate workflow_run security
         if: github.event_name == 'workflow_run'
         uses: actions/github-script@v7
         with:
           script: |
-            const headSha = context.payload.workflow_run?.head_sha;
+            const workflowRun = context.payload.workflow_run;
+            
+            // Validate workflow_run is from the same repository (not a fork)
+            if (!workflowRun || workflowRun.repository.full_name !== context.repo.owner + '/' + context.repo.repo) {
+              core.setFailed('Security: workflow_run must be from the same repository');
+              return;
+            }
+            
+            // Validate head SHA format
+            const headSha = workflowRun.head_sha;
             if (!headSha || !/^[a-f0-9]{40}$/i.test(headSha)) {
-              core.setFailed('Invalid head SHA');
+              core.setFailed('Invalid head SHA format');
+              return;
+            }
+            
+            // Validate branch is allowed
+            const allowedBranches = ['main', 'develop'];
+            if (!allowedBranches.includes(workflowRun.head_branch)) {
+              core.setFailed(`Security: workflow_run from branch '${workflowRun.head_branch}' is not allowed. Allowed branches: ${allowedBranches.join(', ')}`);
               return;
             }
+            
+            // Check if lint workflow passed
             const { data: runs } = await github.rest.actions.listWorkflowRuns({
                 owner: context.repo.owner,
                 repo: context.repo.repo,

.github/workflows/docker-push.yml

@@ -25,16 +25,34 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event_name == 'workflow_dispatch' || (github.event.workflow_run.conclusion == 'success' && (github.event.workflow_run.head_branch == 'main' || github.event.workflow_run.head_branch == 'develop')) }}
     steps:
-      - name: Check if lint workflow passed
+      - name: Validate workflow_run security
         if: github.event_name == 'workflow_run'
         uses: actions/github-script@v7
         with:
           script: |
-            const headSha = context.payload.workflow_run?.head_sha;
+            const workflowRun = context.payload.workflow_run;
+            
+            // Validate workflow_run is from the same repository (not a fork)
+            if (!workflowRun || workflowRun.repository.full_name !== context.repo.owner + '/' + context.repo.repo) {
+              core.setFailed('Security: workflow_run must be from the same repository');
+              return;
+            }
+            
+            // Validate head SHA format
+            const headSha = workflowRun.head_sha;
             if (!headSha || !/^[a-f0-9]{40}$/i.test(headSha)) {
-              core.setFailed('Invalid head SHA');
+              core.setFailed('Invalid head SHA format');
+              return;
+            }
+            
+            // Validate branch is allowed
+            const allowedBranches = ['main', 'develop'];
+            if (!allowedBranches.includes(workflowRun.head_branch)) {
+              core.setFailed(`Security: workflow_run from branch '${workflowRun.head_branch}' is not allowed. Allowed branches: ${allowedBranches.join(', ')}`);
               return;
             }
+            
+            // Check if lint workflow passed
             const { data: runs } = await github.rest.actions.listWorkflowRuns({
               owner: context.repo.owner,
               repo: context.repo.repo,

.github/workflows/integration-test.yml

@@ -21,6 +21,32 @@ jobs:
         runs-on: ubuntu-latest
         if: ${{ github.event_name == 'workflow_dispatch' || (github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.head_branch == 'main') }}
         steps:
+            - name: Validate workflow_run security
+              if: github.event_name == 'workflow_run'
+              uses: actions/github-script@v7
+              with:
+                  script: |
+                      const workflowRun = context.payload.workflow_run;
+                      
+                      // Validate workflow_run is from the same repository (not a fork)
+                      if (!workflowRun || workflowRun.repository.full_name !== context.repo.owner + '/' + context.repo.repo) {
+                        core.setFailed('Security: workflow_run must be from the same repository');
+                        return;
+                      }
+                      
+                      // Validate head SHA format
+                      const headSha = workflowRun.head_sha;
+                      if (!headSha || !/^[a-f0-9]{40}$/i.test(headSha)) {
+                        core.setFailed('Invalid head SHA format');
+                        return;
+                      }
+                      
+                      // Validate branch is allowed
+                      const allowedBranches = ['main'];
+                      if (!allowedBranches.includes(workflowRun.head_branch)) {
+                        core.setFailed(`Security: workflow_run from branch '${workflowRun.head_branch}' is not allowed. Allowed branches: ${allowedBranches.join(', ')}`);
+                        return;
+                      }
             - name: Checkout code
               uses: actions/checkout@v5
               with:

.github/workflows/security-scan.yml

@@ -19,16 +19,34 @@ jobs:
         runs-on: ubuntu-latest
         if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
         steps:
-            - name: Check if lint workflow passed
+            - name: Validate workflow_run security
               if: github.event_name == 'workflow_run'
               uses: actions/github-script@v7
               with:
                   script: |
-                      const headSha = context.payload.workflow_run?.head_sha;
+                      const workflowRun = context.payload.workflow_run;
+                      
+                      // Validate workflow_run is from the same repository (not a fork)
+                      if (!workflowRun || workflowRun.repository.full_name !== context.repo.owner + '/' + context.repo.repo) {
+                        core.setFailed('Security: workflow_run must be from the same repository');
+                        return;
+                      }
+                      
+                      // Validate head SHA format
+                      const headSha = workflowRun.head_sha;
                       if (!headSha || !/^[a-f0-9]{40}$/i.test(headSha)) {
-                        core.setFailed('Invalid head SHA');
+                        core.setFailed('Invalid head SHA format');
+                        return;
+                      }
+                      
+                      // Validate branch is allowed
+                      const allowedBranches = ['main', 'develop'];
+                      if (!allowedBranches.includes(workflowRun.head_branch)) {
+                        core.setFailed(`Security: workflow_run from branch '${workflowRun.head_branch}' is not allowed. Allowed branches: ${allowedBranches.join(', ')}`);
                         return;
                       }
+                      
+                      // Check if lint workflow passed
                       const { data: runs } = await github.rest.actions.listWorkflowRuns({
                           owner: context.repo.owner,
                           repo: context.repo.repo,