From 7f42e573f18a097efb8844978cfb5fda2a23c7c9 Mon Sep 17 00:00:00 2001
From: q1uf3ng <q1uf3ng@proton.me>
Date: Fri, 8 May 2026 13:58:41 +0800
Subject: [PATCH] fix: add approval gate to call-check-tflite-files job

The call-check-tflite-files job in pr_test.yml is missing the
needs: [gatekeeper, approval-gate] dependency that all other jobs
have. This allows fork PRs to execute arbitrary code via the checked-out
shell script without waiting for approval, bypassing the security gate.

BUG=n/a
---
 .github/workflows/pr_test.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/pr_test.yml b/.github/workflows/pr_test.yml
index 48a2d91a83b..2140cef71aa 100644
--- a/.github/workflows/pr_test.yml
+++ b/.github/workflows/pr_test.yml
@@ -64,6 +64,8 @@ jobs:
         run: echo "CI Authorized."
 
   call-check-tflite-files:
+    needs: [gatekeeper, approval-gate]
+    if: needs.gatekeeper.outputs.scope != 'none'
     uses: ./.github/workflows/check_tflite_files.yml
     with:
       trigger-sha: ${{ github.event.pull_request.head.sha }}