From de173ae7d96c9aab3334701568b3709b0b00d1e7 Mon Sep 17 00:00:00 2001
From: pdewilde <pdewilde@google.com>
Date: Mon, 20 Oct 2025 16:25:43 -0700
Subject: [PATCH 1/3] fail

---
 .github/workflows/fail-conditional.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/fail-conditional.yml b/.github/workflows/fail-conditional.yml
index f690e8a..4810c8c 100644
--- a/.github/workflows/fail-conditional.yml
+++ b/.github/workflows/fail-conditional.yml
@@ -28,4 +28,4 @@ jobs:
       run: |
         echo 'Failing because "fail" was found in the commit message.'
         exit 1
-# foobar1234
+

From bc5c6cb97bf1d37636093e03994167592c6451bd Mon Sep 17 00:00:00 2001
From: pdewilde <pdewilde@google.com>
Date: Tue, 18 Nov 2025 14:57:27 -0800
Subject: [PATCH 2/3] Test that a failing scan can still be merged (rule is in
 evaluate mode)

---
 .github/workflows/vulnerable_test.yml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 .github/workflows/vulnerable_test.yml

diff --git a/.github/workflows/vulnerable_test.yml b/.github/workflows/vulnerable_test.yml
new file mode 100644
index 0000000..a8f8270
--- /dev/null
+++ b/.github/workflows/vulnerable_test.yml
@@ -0,0 +1,23 @@
+name: 'Vulnerable Workflow'
+
+on:
+  pull_request_target:
+    types: ['opened', 'synchronize']
+
+jobs:
+  vulnerable-job:
+    runs-on: 'ubuntu-latest'
+    steps:
+      - name: 'Checkout PR code (Unsafe)'
+        uses: 'actions/checkout@v3'
+        with:
+          ref: '${{ github.event.pull_request.head.sha }}'
+      
+      - name: 'Run script'
+        run: |
+          echo "Running code from the PR..."
+          # In a real attack, this could be a script modified by the attacker
+          if [ -f ./script.sh ]; then
+            chmod +x ./script.sh
+            ./script.sh
+          fi

From d5e5f6f96f282d65efb1622ebea3048dfda3bbf2 Mon Sep 17 00:00:00 2001
From: pdewilde <pdewilde@google.com>
Date: Tue, 18 Nov 2025 15:16:15 -0800
Subject: [PATCH 3/3] fail

---
 .github/workflows/fail-conditional.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/fail-conditional.yml b/.github/workflows/fail-conditional.yml
index 4810c8c..640c637 100644
--- a/.github/workflows/fail-conditional.yml
+++ b/.github/workflows/fail-conditional.yml
@@ -29,3 +29,4 @@ jobs:
         echo 'Failing because "fail" was found in the commit message.'
         exit 1
 
+