fix(CI): Fix CI pipeline for wallet-core fork pull requests#4800
Open
sergei-boiko-trustwallet wants to merge 4 commits into
Open
fix(CI): Fix CI pipeline for wallet-core fork pull requests#4800sergei-boiko-trustwallet wants to merge 4 commits into
sergei-boiko-trustwallet wants to merge 4 commits into
Conversation
sergei-boiko-trustwallet
requested review from
a team and
BSCSecChef
as code owners
Copilot stopped reviewing on behalf of
sergei-boiko-trustwallet due to an error
June 11, 2026 10:18
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
This PR updates the bc-risk-router GitHub Actions workflow to run on pull_request_target instead of pull_request, and adjusts checkout behavior to scan PR head changes.
Changes:
- Switch workflow trigger from
pull_requesttopull_request_target. - Update job condition to match the new event name.
- Checkout the PR head SHA to compute diffs against the contributor’s changes.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Binary size comparison➡️ aarch64-apple-ios: 14.31 MB ➡️ aarch64-apple-ios-sim: 14.32 MB ➡️ aarch64-linux-android: 18.73 MB ➡️ armv7-linux-androideabi: 16.17 MB ➡️ wasm32-unknown-emscripten: 13.66 MB |
… handling in scanner
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request refactors the "BC risk router" workflow to improve security, reliability, and maintainability by splitting the process into two separate GitHub Actions workflows:
bc-scannerandbc-risk-router. The scanner workflow runs in the unprivileged fork context to detect sensitive file changes and uploads the result as an artifact, while the router workflow runs in the base repository context to post comments and enforce gating based on the scan results. The PR also improves the logic for associating PRs with workflow runs, enhances check run posting, and clarifies environment variable usage in comments.Workflow separation and security model:
bc-scannerworkflow (.github/workflows/claude-bc-scanner.yml) that runs on PR events in the fork context (no secrets, read-only), detects changes to persistence-sensitive files, and uploads the results as an artifact for downstream consumption.bc-risk-router(.github/workflows/claude-bc-risk-router.yml) to run onworkflow_runevents triggered by the scanner, ensuring it only runs with write permissions in the base repo context and never checks out code.Improved artifact handling and comment logic:
Enhanced check run and PR association:
These changes collectively make the BC risk gating process more secure, reliable, and maintainable by clearly separating concerns, minimizing permission scopes, and ensuring that gating logic accurately tracks the state of each PR.