From 048ab948be5f56ffdcf7444d7162b393bfda0c5f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ch=C3=BA=20P=C3=A1o=20H=E1=BB=93ng?= Date: Wed, 22 Apr 2026 09:55:35 +0700 Subject: [PATCH] fix: read presubmit config from base branch for fork PRs --- buildkite/bazelci.py | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/buildkite/bazelci.py b/buildkite/bazelci.py index effbbeab1e..feb3582a6e 100755 --- a/buildkite/bazelci.py +++ b/buildkite/bazelci.py @@ -1188,8 +1188,28 @@ def load_config(http_url, file_config, allow_imports=True, bazel_version=None): config = load_remote_yaml_file(http_url) else: file_config = file_config or ".bazelci/presubmit.yml" - with open(file_config, "r") as fd: - config = yaml.safe_load(fd) + if is_pull_request() and file_config == ".bazelci/presubmit.yml": + # For fork PRs, read the config from the base branch instead of the + # PR branch to prevent shell_commands injection from untrusted forks. + base_branch = os.getenv("BUILDKITE_PULL_REQUEST_BASE_BRANCH", "") + if base_branch: + execute_command( + ["git", "fetch", "origin", base_branch], + print_output=False, + suppress_stdout=True, + ) + config = yaml.safe_load( + execute_command_and_get_output( + ["git", "show", f"origin/{base_branch}:{file_config}"], + print_output=False, + ) + ) + else: + with open(file_config, "r") as fd: + config = yaml.safe_load(fd) + else: + with open(file_config, "r") as fd: + config = yaml.safe_load(fd) # Legacy mode means that there is exactly one task per platform (e.g. ubuntu1604_nojdk), # which means that we can get away with using the platform name as task ID.