From 8fb7285e3cadf08e7172b992c5c8007bcd236b93 Mon Sep 17 00:00:00 2001
From: Dargon789 <64915515+Dargon789@users.noreply.github.com>
Date: Thu, 7 May 2026 08:16:26 +0700
Subject: [PATCH] Potential fix for code scanning alert no. 226: Artifact
 poisoning

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>
---
 .github/workflows/npm.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/npm.yml b/.github/workflows/npm.yml
index 323059e99e6b6..dfef0c90463a2 100644
--- a/.github/workflows/npm.yml
+++ b/.github/workflows/npm.yml
@@ -126,6 +126,12 @@ jobs:
           mkdir -p "$ARTIFACT_DIR"
           ls -la "$ARTIFACT_DIR" || true
 
+      - name: Require trusted workflow_run context for artifact consumption
+        if: ${{ github.event_name != 'workflow_run' }}
+        run: |
+          echo "Refusing to consume artifacts outside workflow_run context." >&2
+          exit 1
+
       - name: Download Release Assets
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
@@ -135,7 +141,7 @@ jobs:
           # Extract artifacts into an isolated temp directory, not the workspace
           path: ${{ steps.paths.outputs.artifact_dir }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
-          run-id: ${{ github.event.workflow_run.id || inputs.run_id }}
+          run-id: ${{ github.event.workflow_run.id }}
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0