OpenHands · enyst · Feb 18, 2026 · Feb 21, 2026
diff --git a/.github/actions/pr-review/action.yml b/.github/actions/pr-review/action.yml
@@ -53,14 +53,17 @@ runs:
               ref: ${{ inputs.sdk-version }}
               path: software-agent-sdk
 
-        - name: Checkout PR repository
+        # Security: do NOT checkout or execute untrusted PR code in a workflow
+        # that has access to secrets. Instead, checkout the trusted base repo
+        # version and fetch PR diffs via the GitHub API.
+        - name: Checkout target repository (trusted base)
           uses: actions/checkout@v4
           with:
-              repository: ${{ github.event.pull_request.head.repo.full_name }}
-              ref: ${{ github.event.pull_request.head.ref }}
+              repository: ${{ github.event.pull_request.base.repo.full_name }}
+              ref: ${{ github.event.pull_request.base.sha }}
               fetch-depth: 0
               persist-credentials: false
-              path: pr-repo
+              path: target-repo
 
         - name: Set up Python
           uses: actions/setup-python@v5
@@ -134,7 +137,7 @@ runs:
               PR_HEAD_BRANCH: ${{ github.event.pull_request.head.ref }}
               REPO_NAME: ${{ github.repository }}
           run: |
-              cd pr-repo
+              cd target-repo
               uv run python ../software-agent-sdk/examples/03_github_workflows/02_pr_review/agent_script.py
 
         - name: Upload logs as artifact
@@ -145,13 +148,15 @@ runs:
               path: |
                   *.log
                   output/
+                  target-repo/*.log
+                  target-repo/output/
               retention-days: 7
 
         - name: Upload Laminar trace info for evaluation
           uses: actions/upload-artifact@v4
           if: success()
           with:
               name: pr-review-trace-${{ github.event.pull_request.number }}
-              path: pr-repo/laminar_trace_info.json
+              path: target-repo/laminar_trace_info.json
               retention-days: 30
               if-no-files-found: ignore
diff --git a/.github/workflows/auto-label-issues.yml b/.github/workflows/auto-label-issues.yml
@@ -15,7 +15,7 @@ jobs:
             - name: Add needs-triage label
               uses: actions/github-script@v7
               with:
-                  github-token: ${{ secrets.ALLHANDS_BOT_GITHUB_PAT }}
+                  github-token: ${{ github.token }}
                   script: |
                       // Get the issue details
                       const issue = context.payload.issue;

diff --git a/.github/workflows/condenser-runner.yml b/.github/workflows/condenser-runner.yml
@@ -49,7 +49,6 @@ jobs:
         runs-on: ubuntu-22.04
         permissions:
             contents: read
-            id-token: write
             pull-requests: write
         strategy:
             matrix:

diff --git a/.github/workflows/integration-runner.yml b/.github/workflows/integration-runner.yml
@@ -54,6 +54,16 @@ env:
 
 jobs:
     setup-matrix:
+        if: |
+            github.event_name == 'workflow_dispatch' ||
+            (github.event_name == 'schedule' && github.repository == 'OpenHands/software-agent-sdk') ||
+            (
+                github.event_name == 'pull_request_target' && (
+                    github.event.label.name == 'integration-test' ||
+                    github.event.label.name == 'behavior-test'
+                )
+            )
+
         runs-on: ubuntu-latest
         outputs:
             matrix: ${{ steps.resolve-models.outputs.matrix }}
@@ -219,7 +229,6 @@ jobs:
         timeout-minutes: 180
         permissions:
             contents: read
-            id-token: write
             pull-requests: write
             issues: write
         strategy:

diff --git a/.github/workflows/pr-review-by-openhands.yml b/.github/workflows/pr-review-by-openhands.yml
@@ -2,12 +2,10 @@
 name: PR Review by OpenHands
 
 on:
-    # TEMPORARY MITIGATION (Clinejection hardening)
-    #
-    # We temporarily avoid `pull_request_target` here. We'll restore it after the PR review
-    # workflow is fully hardened for untrusted execution.
-    pull_request:
-        types: [opened, ready_for_review, labeled, review_requested]
+    # Use pull_request_target so the workflow can comment on PRs from forks.
+    # Security: restrict execution to an explicit maintainer-applied label.
+    pull_request_target:
+        types: [labeled]
 
 permissions:
     contents: read
@@ -16,22 +14,8 @@ permissions:
 
 jobs:
     pr-review:
-        # Note: fork PRs will not have access to repository secrets under `pull_request`.
-        # Skip forks to avoid noisy failures until we restore a hardened `pull_request_target` flow.
-        if: |
-            github.event.pull_request.head.repo.full_name == github.repository &&
-            (
-                (github.event.action == 'opened' && github.event.pull_request.draft == false) ||
-                github.event.action == 'ready_for_review' ||
-                (github.event.action == 'labeled' && github.event.label.name == 'review-this') ||
-                (
-                    github.event.action == 'review_requested' &&
-                    (
-                        github.event.requested_reviewer.login == 'openhands-agent' ||
-                        github.event.requested_reviewer.login == 'all-hands-bot'
-                    )
-                )
-            )
+        # Security: only run when a maintainer applies the explicit label.
+        if: github.event.label.name == 'review-this'
         concurrency:
             group: pr-review-${{ github.event.pull_request.number }}
             cancel-in-progress: true
@@ -46,8 +30,9 @@ jobs:
                   llm-base-url: https://llm-proxy.app.all-hands.dev
                   # Review style: roasted (other option: standard)
                   review-style: roasted
-                  # Use the PR's head commit SHA to test SDK changes on the SDK repo itself
-                  sdk-version: ${{ github.event.pull_request.head.sha }}
+                  # Security: never execute untrusted PR code in this workflow.
+                  # Use a trusted ref for the PR review tooling.
+                  sdk-version: main
                   llm-api-key: ${{ secrets.LLM_API_KEY }}
-                  github-token: ${{ secrets.ALLHANDS_BOT_GITHUB_PAT }}
+                  github-token: ${{ github.token }}
                   lmnr-api-key: ${{ secrets.LMNR_SKILLS_API_KEY }}