From 19a0fef866cee1704ea109dbcbfbb3d4b0c5d4f7 Mon Sep 17 00:00:00 2001
From: Akshay Aggarwal <akshay.aggarwal@smartcontract.com>
Date: Mon, 16 Feb 2026 13:54:45 +0000
Subject: [PATCH 1/2] Potential fix for code scanning alert no. 4: Checkout of
 untrusted code in trusted context

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .github/workflows/pull-request-main.yml | 15 ++++-----------
 1 file changed, 4 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/pull-request-main.yml b/.github/workflows/pull-request-main.yml
index 0665ac03..c1c8e30a 100644
--- a/.github/workflows/pull-request-main.yml
+++ b/.github/workflows/pull-request-main.yml
@@ -143,19 +143,12 @@ jobs:
       - name: Check if current branch exists in chainlink repo
         id: check-branch
         env:
-          BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
           GITHUB_TOKEN: ${{ steps.setup-github-token.outputs.access-token }}
         run: |
-          echo "Current branch: $BRANCH_NAME"
-
-          # Check if branch exists in the target repository
-          if gh api "repos/smartcontractkit/chainlink/branches/$BRANCH_NAME" --silent 2>/dev/null; then
-            echo "Branch $BRANCH_NAME exists in chainlink repository. Going to use it"
-            echo "target_branch=$BRANCH_NAME" >> "$GITHUB_OUTPUT"
-          else
-            echo "Branch $BRANCH_NAME does not exist in chainlink repository, will use develop"
-            echo "target_branch=develop" >> "$GITHUB_OUTPUT"
-          fi
+          # For security, always use a trusted branch of the chainlink repository
+          # rather than deriving it from pull request metadata.
+          echo "Using fixed target branch 'develop' for chainlink repository."
+          echo "target_branch=develop" >> "$GITHUB_OUTPUT"
 
       - name: Derive nightly image tag
         id: derive-nightly-image-tag

From df48f4c8adfa0cb264546c16a0971d191ee27761 Mon Sep 17 00:00:00 2001
From: Akshay Aggarwal <akshay.aggarwal@smartcontract.com>
Date: Fri, 20 Feb 2026 18:35:42 +0000
Subject: [PATCH 2/2] update

---
 .github/workflows/pull-request-main.yml | 12 +-----------
 1 file changed, 1 insertion(+), 11 deletions(-)

diff --git a/.github/workflows/pull-request-main.yml b/.github/workflows/pull-request-main.yml
index c1c8e30a..3d882f96 100644
--- a/.github/workflows/pull-request-main.yml
+++ b/.github/workflows/pull-request-main.yml
@@ -140,16 +140,6 @@ jobs:
           BINARY_NAME="cre_linux_amd64"
           go build -ldflags "-X 'github.com/smartcontractkit/cre-cli/cmd/version.Version=version $VERSION'" -o "${BINARY_NAME}"
 
-      - name: Check if current branch exists in chainlink repo
-        id: check-branch
-        env:
-          GITHUB_TOKEN: ${{ steps.setup-github-token.outputs.access-token }}
-        run: |
-          # For security, always use a trusted branch of the chainlink repository
-          # rather than deriving it from pull request metadata.
-          echo "Using fixed target branch 'develop' for chainlink repository."
-          echo "target_branch=develop" >> "$GITHUB_OUTPUT"
-
       - name: Derive nightly image tag
         id: derive-nightly-image-tag
         shell: bash
@@ -162,7 +152,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # actions/checkout@v4.2.2
         with:
           repository: smartcontractkit/chainlink
-          ref: ${{ steps.check-branch.outputs.target_branch }}
+          ref: develop
           path: chainlink
 
       - name: Set up Go