Check if PR is from a fork before dismissing runs. (#9300)

.github/workflows/robot/internal/bot/dismiss.go

@@ -42,6 +42,11 @@ func (b *Bot) Dimiss(ctx context.Context) error {
 	}
 
 	for _, pull := range pulls {
+		// Only dismiss stale runs from forks (external) as the workflow that triggers
+		// this method is intended for. Dismissing runs for internal contributors
+		// (non-fork) here could result in a race condition as runs are deleted upon
+		// trigger separately during the `Check` workflow.
+		if pull.Fork {
 			// HEAD could be controlled by an attacker, however, all this would allow is
 			// the attacker to dismiss a workflow run.
 			if err := b.dismiss(ctx, b.c.Environment.Organization, b.c.Environment.Repository, pull.UnsafeHead); err != nil {
@@ -49,6 +54,7 @@ func (b *Bot) Dimiss(ctx context.Context) error {
 				continue
 			}
 		}
+	}
 
 	return nil
 }

.github/workflows/robot/internal/github/github.go

@@ -145,6 +145,8 @@ type PullRequest struct {
 	// UnsafeHead is the name of the branch this PR is created from. It is marked
 	// unsafe as it can be attacker controlled.
 	UnsafeHead string
+	// Fork determines if the pull request is from a fork.
+	Fork bool
 }
 
 func (c *client) ListPullRequests(ctx context.Context, organization string, repository string, state string) ([]PullRequest, error) {
@@ -171,6 +173,7 @@ func (c *client) ListPullRequests(ctx context.Context, organization string, repo
 				Author:     pr.GetUser().GetLogin(),
 				Repository: repository,
 				UnsafeHead: pr.GetHead().GetRef(),
+				Fork:       pr.GetBase().GetRepo().GetFork(),
 			})
 		}
 		if resp.NextPage == 0 {