From 14107d6cd3a243b407fa0d4524e288cdbcc37ec5 Mon Sep 17 00:00:00 2001
From: Hong Yi Chen <hongyigma@gmail.com>
Date: Fri, 1 May 2026 14:20:17 -0700
Subject: [PATCH] Harden respond-to-comment.yml against fork PRs

Adds a fork-guard step before checkout/agent/push, and pins
warpdotdev/oz-agent-action from the floating @v1 tag to a commit SHA
in both workflows.

Co-Authored-By: Oz <oz-agent@warp.dev>
---
 .github/workflows/respond-to-comment.yml | 46 +++++++++++++++++++++++-
 .github/workflows/review-pr.yml          |  2 +-
 2 files changed, 46 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/respond-to-comment.yml b/.github/workflows/respond-to-comment.yml
index 4d87a86..bd35765 100644
--- a/.github/workflows/respond-to-comment.yml
+++ b/.github/workflows/respond-to-comment.yml
@@ -21,6 +21,50 @@ jobs:
       pull-requests: write
       issues: write
     steps:
+      - name: Check PR is not from a fork
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ github.token }}
+          script: |
+            const { owner, repo } = context.repo;
+            const prNumber = context.payload.issue?.number
+              ?? context.payload.pull_request?.number;
+            if (!prNumber) {
+              core.setFailed('Could not determine PR number from event payload.');
+              return;
+            }
+
+            const { data: pr } = await github.rest.pulls.get({
+              owner,
+              repo,
+              pull_number: prNumber,
+            });
+
+            const headRepo = pr.head?.repo?.full_name;
+            const upstream = `${owner}/${repo}`;
+            if (headRepo !== upstream) {
+              const author = context.payload.comment.user.login;
+              const body = `@${author}: Sorry, I can't run on pull requests from forks for security reasons (this PR's head is \`${headRepo ?? 'unknown'}\`). A maintainer can re-open this as a branch on \`${upstream}\` and I'll be happy to help there.`;
+
+              if (context.eventName === 'pull_request_review_comment') {
+                await github.rest.pulls.createReplyForReviewComment({
+                  owner,
+                  repo,
+                  pull_number: prNumber,
+                  comment_id: context.payload.comment.id,
+                  body,
+                });
+              } else {
+                await github.rest.issues.createComment({
+                  owner,
+                  repo,
+                  issue_number: prNumber,
+                  body,
+                });
+              }
+
+              core.setFailed(`Refusing to run on fork PR (head repo: ${headRepo ?? 'unknown'}).`);
+            }
       - name: Check author permissions
         uses: actions/github-script@v7
         with:
@@ -145,7 +189,7 @@ jobs:
 
             core.setOutput('prompt', prompt);
       - name: Run Oz Agent
-        uses: warpdotdev/oz-agent-action@v1
+        uses: warpdotdev/oz-agent-action@ce1621abf6a8ed8afdd4e4cc994545ede8fe1c6f # v1.0.12
         env:
           GH_TOKEN: ${{ github.token }}
         id: agent
diff --git a/.github/workflows/review-pr.yml b/.github/workflows/review-pr.yml
index 772db56..7f87e7d 100644
--- a/.github/workflows/review-pr.yml
+++ b/.github/workflows/review-pr.yml
@@ -18,7 +18,7 @@ jobs:
         uses: actions/checkout@v4
       
       - name: Review PR with Oz agent
-        uses: warpdotdev/oz-agent-action@v1
+        uses: warpdotdev/oz-agent-action@ce1621abf6a8ed8afdd4e4cc994545ede8fe1c6f # v1.0.12
         env:
           GH_TOKEN: ${{ github.token }}
         with: