From 19a0fef866cee1704ea109dbcbfbb3d4b0c5d4f7 Mon Sep 17 00:00:00 2001
From: Akshay Aggarwal <akshay.aggarwal@smartcontract.com>
Date: Mon, 16 Feb 2026 13:54:45 +0000
Subject: [PATCH] Potential fix for code scanning alert no. 4: Checkout of
 untrusted code in trusted context

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .github/workflows/pull-request-main.yml | 15 ++++-----------
 1 file changed, 4 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/pull-request-main.yml b/.github/workflows/pull-request-main.yml
index 0665ac03..c1c8e30a 100644
--- a/.github/workflows/pull-request-main.yml
+++ b/.github/workflows/pull-request-main.yml
@@ -143,19 +143,12 @@ jobs:
       - name: Check if current branch exists in chainlink repo
         id: check-branch
         env:
-          BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
           GITHUB_TOKEN: ${{ steps.setup-github-token.outputs.access-token }}
         run: |
-          echo "Current branch: $BRANCH_NAME"
-
-          # Check if branch exists in the target repository
-          if gh api "repos/smartcontractkit/chainlink/branches/$BRANCH_NAME" --silent 2>/dev/null; then
-            echo "Branch $BRANCH_NAME exists in chainlink repository. Going to use it"
-            echo "target_branch=$BRANCH_NAME" >> "$GITHUB_OUTPUT"
-          else
-            echo "Branch $BRANCH_NAME does not exist in chainlink repository, will use develop"
-            echo "target_branch=develop" >> "$GITHUB_OUTPUT"
-          fi
+          # For security, always use a trusted branch of the chainlink repository
+          # rather than deriving it from pull request metadata.
+          echo "Using fixed target branch 'develop' for chainlink repository."
+          echo "target_branch=develop" >> "$GITHUB_OUTPUT"
 
       - name: Derive nightly image tag
         id: derive-nightly-image-tag