Don't look at workflow run results in other repositories (#861)

This is a copy of 536d202. The same issue exists with the `workflow_run` event as with `check_run`. People can fork a repository and then propose pull requests from the original repository into their fork. This may result in webhooks being dispatched, but we want to ignore them.
palantir · Oct 9, 2024 · 758ecc9 · 758ecc9
1 parent 6c9a39e
commit 758ecc9
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/server/handler/workflow_run.go b/server/handler/workflow_run.go
@@ -44,6 +44,7 @@ func (h *WorkflowRun) Handle(ctx context.Context, eventType, deliveryID string,
 	}
 
 	repo := event.GetRepo()
+	repoID := repo.GetID()
 	ownerName := repo.GetOwner().GetLogin()
 	repoName := repo.GetName()
 	commitSHA := event.GetWorkflowRun().GetHeadSHA()
@@ -53,6 +54,18 @@ func (h *WorkflowRun) Handle(ctx context.Context, eventType, deliveryID string,
 
 	evaluationFailures := 0
 	for _, pr := range event.GetWorkflowRun().PullRequests {
+		// The `workflow_run` event includes pull requests that contain the SHA
+		// which is being checked. These can be pull requests _from_ our
+		// repository _to_ another one, for example if it's been forked and
+		// there's a PR to merge changes from our repo into the fork. We don't
+		// want to try to evaluate the policy for such PRs as they're nothing to
+		// do with us.
+		prBaseRepo := pr.GetBase().GetRepo()
+		if prBaseRepo.GetID() != repoID {
+			logger.Debug().Msgf("Skipping pull request '%d' from different repository '%s'", pr.GetNumber(), prBaseRepo.GetURL())
+			continue
+		}
+
 		if err := h.Evaluate(ctx, installationID, common.TriggerStatus, pull.Locator{
 			Owner:  ownerName,
 			Repo:   repoName,