From 7ec1ef0bd145f8367630c128328d19fba13bc631 Mon Sep 17 00:00:00 2001
From: Gustavo Pires Cicutti <DVHRMNTCBSL@users.noreply.github.com>
Date: Wed, 10 Jun 2026 01:51:26 -0300
Subject: [PATCH] security: gate pr-triage secrets on same-repository
 pull_request_target

---
 .github/workflows/pr-triage.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/pr-triage.yml b/.github/workflows/pr-triage.yml
index 13199667de..a24d01a050 100644
--- a/.github/workflows/pr-triage.yml
+++ b/.github/workflows/pr-triage.yml
@@ -12,7 +12,11 @@ on:
 
 jobs:
   agent-triage-pull-request:
-    if: github.event_name == 'workflow_dispatch' || !contains(github.event.pull_request.labels.*.name, 'google-contributor')
+    if: >-
+      github.event_name == 'workflow_dispatch' || (
+        github.event.pull_request.head.repo.full_name == github.repository &&
+        !contains(github.event.pull_request.labels.*.name, 'google-contributor')
+      )
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write