From 194c6c146779ec8f14db1dec1924d23e0f81b98f Mon Sep 17 00:00:00 2001
From: Eli Bosley <ekbosley@gmail.com>
Date: Tue, 16 Sep 2025 11:11:27 -0400
Subject: [PATCH] chore: enhance PR plugin upload workflow with improved
 concurrency handling and security measures

---
 .github/workflows/pr-plugin-upload.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/pr-plugin-upload.yml b/.github/workflows/pr-plugin-upload.yml
index 3ec82f46d..608fb17d2 100644
--- a/.github/workflows/pr-plugin-upload.yml
+++ b/.github/workflows/pr-plugin-upload.yml
@@ -1,7 +1,9 @@
 name: Upload PR Plugin to R2
 
 concurrency:
-  group: pr-plugin-${{ github.event.workflow_run.id || github.run_id }}
+  # Use the PR number from the workflow run to group uploads for the same PR
+  # This ensures previous in-progress uploads for the same PR are cancelled
+  group: pr-plugin-${{ github.event.workflow_run.pull_requests[0].number || github.event.workflow_run.head_branch }}
   cancel-in-progress: true
 
 on:
@@ -29,6 +31,12 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          # SECURITY: Always checkout the default branch (trusted code)
+          # Never checkout PR code in workflow_run context
+          ref: ${{ github.event.repository.default_branch }}
+          # Ensure we're checking out the base repository, not a fork
+          repository: ${{ github.repository }}
 
       - name: Prepare artifact extraction directory
         run: |