From f68a7cc899e2869e2ba6e13ae690430d92a2c2a8 Mon Sep 17 00:00:00 2001
From: Weston Steimel <author@code.w.steimel.me.uk>
Date: Tue, 24 Mar 2026 11:16:16 +0000
Subject: [PATCH] ci: further pr target code checkout assurances (#4695)

Signed-off-by: Weston Steimel <author@code.w.steimel.me.uk>
---
 .github/workflows/detect-schema-changes.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/detect-schema-changes.yaml b/.github/workflows/detect-schema-changes.yaml
index a58ded049..91bb8519b 100644
--- a/.github/workflows/detect-schema-changes.yaml
+++ b/.github/workflows/detect-schema-changes.yaml
@@ -37,6 +37,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
         with:
           persist-credentials: false
+          repository: anchore/syft # IMPORTANT! An additional protection that this is checking out code from the expected repository 
           ref: main # IMPORTANT!  It is CRITICAL that this only ever considers the code from main and NEVER EVER from a fork.
 
       - run: python .github/scripts/labeler.py