From 65528737e22a91669eef50fa24087b453de6bb57 Mon Sep 17 00:00:00 2001
From: barakharyati <41957095+barakharyati@users.noreply.github.com>
Date: Sun, 7 Dec 2025 19:33:17 +0200
Subject: [PATCH] Fix RCE exposure: restrict pull_request_target prettier
 workflow to same-repo PRs

---
 .github/workflows/prettier.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/prettier.yml b/.github/workflows/prettier.yml
index 3cc69b529c371..5ecb2cab3e399 100644
--- a/.github/workflows/prettier.yml
+++ b/.github/workflows/prettier.yml
@@ -10,6 +10,12 @@ concurrency:
 
 jobs:
   format:
+    # ---------------------------------------------------------
+    # SAFETY CHECK:
+    # Only run for PRs from the SAME repository.
+    # Fork PRs are skipped entirely to prevent RCE via npm install.
+    # ---------------------------------------------------------
+    if: ${{ github.event.pull_request.head.repo.fork == false }}
     permissions:
       contents: write
     runs-on: ubuntu-latest